Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934912AbcLMRcv (ORCPT ); Tue, 13 Dec 2016 12:32:51 -0500 Received: from mail-oi0-f52.google.com ([209.85.218.52]:32784 "EHLO mail-oi0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934776AbcLMRcs (ORCPT ); Tue, 13 Dec 2016 12:32:48 -0500 MIME-Version: 1.0 In-Reply-To: References: <1481593143-18756-1-git-send-email-john.stultz@linaro.org> <221e80bd-3d99-6c35-dcd3-b2547f0abb11@schaufler-ca.com> From: John Stultz Date: Tue, 13 Dec 2016 09:24:37 -0800 Message-ID: Subject: Re: [PATCH v5] cgroup: Add new capability to allow a process to migrate other tasks between cgroups To: Casey Schaufler Cc: Michael Kerrisk , lkml , Tejun Heo , Li Zefan , Jonathan Corbet , "open list:CONTROL GROUP (CGROUP)" , Android Kernel Team , Rom Lemarchand , Colin Cross , Dmitry Shmidt , Todd Kjos , Christian Poetzsch , Amit Pundir , Dmitry Torokhov , Kees Cook , "Serge E . Hallyn" , Andy Lutomirski , Linux API Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1548 Lines: 30 On Tue, Dec 13, 2016 at 9:17 AM, Casey Schaufler wrote: > On 12/13/2016 8:49 AM, John Stultz wrote: >> On Tue, Dec 13, 2016 at 8:39 AM, Casey Schaufler wrote: >>> On 12/13/2016 1:47 AM, Michael Kerrisk (man-pages) wrote: >>>> How about CAP_CGROUP_CONTROL or some such, with the idea that this >>>> might be a capability that allows the holder to step outside usual >>>> cgroup rules? At the moment, that capability would allow only one such >>>> step, but maybe there would be others in the future. >>> I agree, but want to put it more strongly. The granularity of >>> capabilities can never be fine enough for some people, and this >>> is an example of a case where you're going a bit too far. If the >>> use case is Android as you say, you don't need this. As my friends >>> on the far side of the aisle would say, "just write SELinux policy" >>> to correctly control access as required. >> So.. The trouble is that while selinux is good for restricting >> permissions, the in-kernel permission checks here are already too >> restrictive. > > Why did the original authors of cgroups make it that restrictive? > If there isn't a good reason, loosen it up. If there is a good > reason, then pay heed to it. That's what this patch is proposing. And I agree with Michael that the newly proposed cap was a bit to narrowly focused on my immediate use case, and broadening it to CGROUP_CONTROL is smart. Then that capability could be further restricted w/ selinux policy, as you suggest. thanks -john