Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751458AbeABSWP (ORCPT + 1 other); Tue, 2 Jan 2018 13:22:15 -0500 Received: from mail-pl0-f42.google.com ([209.85.160.42]:45623 "EHLO mail-pl0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751029AbeABSWM (ORCPT ); Tue, 2 Jan 2018 13:22:12 -0500 X-Google-Smtp-Source: ACJfBovboZpPPRGJFOmNqFGTFxxKJZZQAD4dbg89CIob+LLGwVB1P1asAVzEJ8K3wBP4gHCTKeIPYw== Cc: mtk.manpages@gmail.com, linux-man , lkml , cgroups@vger.kernel.org To: Tejun Heo , "Serge E. Hallyn" From: "Michael Kerrisk (man-pages)" Subject: cgroups(7): documenting cgroups v2 delegation Message-ID: <1ce0a885-94fb-7480-7180-7b873c95b1bb@gmail.com> Date: Tue, 2 Jan 2018 19:22:05 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: Hello Tejun and Serge The delegation feature of cgroups v2 has of course been around for a while now, but was not documented so far in cgroups(7). I have written some text to describe the delegation feature. I would be happy to receive suggestions for fixes, improvements, or corrections to errors, from you (or others). The plain-text version for (easy review) is shown below. (Please note the FIXME!) The branch containing the pending cgroups(7) changes can be found at: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/log/?h=draft_cgroup_updates [[ Cgroups v2 delegation In the context of cgroups, delegation means passing management of some subtree of the cgroup hierarchy to a nonprivileged process. Cgroups v1 provides support for delegation that was accidental and not fully secure. Cgroups v2 supports delega‐ tion by explicit design. Some terminology is required in order to describe delegation. A delegater is a privileged user (i.e., root) who owns a parent cgroup. A delegatee is a nonprivileged user who will be granted the permissions needed to manage some subhierarchy under that parent cgroup, known as the delegated subtree. To perform delegation, the delegater makes certain directories and files writable by the delegatee, typically by changing the ownership of the objects to be the user ID of the delegatee. Assuming that we want to delegate the hierarchy rooted at (say) /dlgt_grp and that there are not yet any child cgroups under that cgroup, the ownership of the following is changed to the user ID of the delegatee: /dlgt_grp Changing the ownership of the root of the subtree means that any new cgroups created under the subtree (and the files they contain) will also be owned by the delegatee. /dlgt_grp/cgroup.procs Changing the ownership of this file means that the dele‐ gatee can move processes into the root of the delegated subtree. /dlgt_grp/cgroup.subtree_control Making this file owned by the delegatee is optional. Doing so means that that the delegatee can enable con‐ trollers (that are present in /dlgt_grp/cgroup.con‐ trollers) in order to further redistribute resources at lower levels in the subtree. As an alternative to changing the ownership of this file, the delegater might instead add selected controllers to this file. The delegater should not change the ownership of any of the controller interfaces files (e.g., pids.max, memory.high) in dlgt_grp. Those files are used from the next level above the delegated subtree in order to distribute resources into the subtree, and the delegatee should not have permission to change the resources that are distributed into the delegated subtree. After the aforementioned steps have been performed, the delega‐ tee can create child cgroups within the delegated subtree and move processes between cgroups in the subtree. If some con‐ trollers are present in dlgt_grp/cgroup.subtree_control, or the ownership of that file was passed to the delegatee, the delega‐ tee can also control the further redistribution of the corre‐ sponding resources into the delegated subtree. Some delegation containment rules ensure that the delegatee can move processes between cgroups within the delegated subtree, but can't move processes from outside the delegated subtree into the subtree or vice versa. A nonprivileged process (i.e., the delegatee) can write the PID of a "target" process into a cgroup.procs file only if all of the following are true: * The effective UID of the writer (i.e., the delegatee) matches the real user ID or the saved set-user-ID of the target process. * The writer has write permission on the cgroup.procs file in the destination cgroup. * The writer has write permission on the cgroup.procs file in the common ancestor of the source and destination cgroups. (In some cases, the common ancestor may be the source or destination cgroup itself.) ┌─────────────────────────────────────────────────────┐ │FIXME │ ├─────────────────────────────────────────────────────┤ │Please confirm that the following is correct: │ └─────────────────────────────────────────────────────┘ Note: one consequence of these delegation containment rules is that the unprivileged delegatee can't place the first process into the delegated subtree; instead, the delegater must place the first process (a process owned by the delegatee) into the delegated subtree. ]] Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/