Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755194AbbFPTKg (ORCPT <rfc822;w@1wt.eu>);
	Tue, 16 Jun 2015 15:10:36 -0400
Received: from mail-yh0-f43.google.com ([209.85.213.43]:35816 "EHLO
	mail-yh0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750927AbbFPTK0 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 16 Jun 2015 15:10:26 -0400
From: Tejun Heo <tj@kernel.org>
To: lizefan@huawei.com, hannes@cmpxchg.org
Cc: cgroups@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@fb.com
Subject: [PATCHSET cgroup/for-4.2] cgroup: require write perm on common ancestor for migration
Date: Tue, 16 Jun 2015 15:10:13 -0400
Message-Id: <1434481817-32001-1-git-send-email-tj@kernel.org>
X-Mailer: git-send-email 2.4.3
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1928
Lines: 46

Hello,

On traditional hierarchies, if a task has write access to "tasks" or
"cgroup.procs" file of a cgroup and its euid agrees with the target,
it can move the target to the cgroup; however, this allows a delegatee
to smuggle processes across disjoint sub-hierarchies violating the
organizational structure and resource restrictions imposed from higher
up.

To prevent these breaches, this patchset makes unified hierarchy
require write access to cgroup.procs of the common ancestor of the
source and destination cgroups.  It also adds documentation on how
delegation of sub-hierarchies should be done on unified hierarchy.

This patchset contains the following four patches.

 0001-kernfs-make-kernfs_get_inode-public.patch
 0002-cgroup-separate-out-cgroup_procs_write_permission-fr.patch
 0003-cgroup-require-write-perm-on-common-ancestor-when-mo.patch
 0004-cgroup-add-delegation-section-to-unified-hierarchy-d.patch

0001-0002 are prep patches.  0003 implements the common ancestor rule
and 0004 documents delegation on unified hierarchy.

This patchset is on top of cgroup/for-4.2 4d205676c102 ("MAINTAINERS:
add a cgroup core co-maintainer") and available in the following git
branch.

 git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git review-cgroup-delegation

diffstat follows.  Thanks.

 Documentation/cgroups/unified-hierarchy.txt |  102 +++++++++++++++++++++++-----
 fs/kernfs/kernfs-internal.h                 |    1 
 include/linux/cgroup-defs.h                 |    1 
 include/linux/kernfs.h                      |    5 +
 kernel/cgroup.c                             |   64 +++++++++++++----
 5 files changed, 139 insertions(+), 34 deletions(-)

--
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/