Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp9259544ybl; Fri, 17 Jan 2020 08:54:23 -0800 (PST) X-Google-Smtp-Source: APXvYqwMddN2ZqGhw3mSzc7dDrtiSZkc/ghu9OlRLuv0BxcqaDpRyxGMwboNj4/gGC0b1J9AeGDp X-Received: by 2002:a05:6808:6c5:: with SMTP id m5mr3949758oih.106.1579280063055; Fri, 17 Jan 2020 08:54:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579280063; cv=none; d=google.com; s=arc-20160816; b=c6lpZYII0HBAQl35kUJTwpicyNDlB5+3fHsCpTiJsU394b9s21ntNu938GxBcTzjLc 2Ok/Wu9Idb7tyacX2GueEFk928P2g/gVFNrmqlvn0kol3M9mf1UdzeG+R2EQitOqQPr5 W6RRX+Tt3u/sHakXasY9Ptu/sATQ2khNVUogDaQATvhiUZ7+QOftT9o46TEengCpWCkW FvLhcUZej2r3MDnC5DDjwU+GhAESdiqhpsc6S7cYejrt69J4Yh+HcZGD5Rmk2Ysaey4C w2b+pqanh6AVRonvOB31ztAeRs+SxanW2bZgO5bW/xsFaMNiU+7pQKTvIu1or1/BfqCn 5Ojw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=yuUv1OXPdVXWCIetDO046G9cCpe5yN5/7bZ6LwPz4B0=; b=cPYzqp/vKG7347LdjOWe0tv4TWC3gI3hcUeeErhc8Izu2aq3Do8+wljAxbao9jtyD/ njC4ygu/IR2grHoYGems3fyxkNkWDzUZXf0xh0g1Y34vOamNxRIYtYdz6LFRNielMfEl Dtyqbk731abd7GxGLpxZG/we0k9JT4Vb+PP71/uWdAMYkad/CLsldSJjhNye/gVfxpTn SATevGf5l1W+dWF5tv6K+z0484KDJt7sKkpQIAkoik9VqKY0XYfxttzurb/TUb2mmgFu WV0Sjxy+rKrkg0l/9Bhd6sDLMjtJYj4wv9yzWqYpOyqOri4Tf7CARkr+0S9pciFywZn4 +qTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=qejqoYN8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x3si13766173oie.146.2020.01.17.08.54.10; Fri, 17 Jan 2020 08:54:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=qejqoYN8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728587AbgAQQxQ (ORCPT + 99 others); Fri, 17 Jan 2020 11:53:16 -0500 Received: from mail-qt1-f196.google.com ([209.85.160.196]:42354 "EHLO mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726559AbgAQQxQ (ORCPT ); Fri, 17 Jan 2020 11:53:16 -0500 Received: by mail-qt1-f196.google.com with SMTP id j5so22236071qtq.9; Fri, 17 Jan 2020 08:53:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=yuUv1OXPdVXWCIetDO046G9cCpe5yN5/7bZ6LwPz4B0=; b=qejqoYN8Ckgk98zDdvv5t54CTIJkmQNW8KtQRyuyEU5uMhUYYKKdT62/lehyI7sVJm qDJZ79DuRMyEyQ5o4Sh/7vvL5aHNSe/eGoS0al+CWlnzItuoZmCOirDYyqSxEDCMdULT KMOPWsJfXCxADqkxSg3zY36dU/UpJqlnGRoyFbac5jbYRQUByodAZngML6pRT7ATH01E VQnhvcD0HAZSbw7aP5UlTlCFkCxiR7SbsQkQHmQ0s5TuN0SBNFPHY6A/V0/y9Uscci6n EeCF2xh5jqi4sRdsIwmsa6b0NditLe5KWesqcI88MZv6SzbmERB6gu6sNYB3BpWuVxhb SKHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=yuUv1OXPdVXWCIetDO046G9cCpe5yN5/7bZ6LwPz4B0=; b=b9zJ22Dh8kEjRg8ts3PG2wyjQJ6zOxGZLUY/ETtCrupepWMZRknPN/6lrtR5289nm3 9wpQNRxjfm8paa3Uc3SjYGhYthUVYILIHDQNWd18wZlVJw42ot1rjDC8Y01tM1mJazgz JbmNGaDmkxnstUZSrfjmToQzGxt8RwKOL4fsO14gUNcsXsknYWpyTHs2U28uDi3aAqNS PwVeqNmNdw7gaQc9nw/G3poaKWKLPecHJojuH9OWDM/j1gGLc5jJwJ9EmpBPocF6dh8Z 2vS6+tOJZ6kPBA3deB/Cwj+VDuNZKNXV2i69cMTnwEEWnwf2XEEk6qNZTrY6nsMv7B0L 1X8Q== X-Gm-Message-State: APjAAAUpebE/ErzPUY312c16yWYkp+G9JRyFR8IQ5oFjTPRnEAECx0cJ vv9u0wkHpZ/Zao+MY4bxw/0= X-Received: by 2002:ac8:21fd:: with SMTP id 58mr8021334qtz.90.1579279994927; Fri, 17 Jan 2020 08:53:14 -0800 (PST) Received: from localhost ([2620:10d:c091:500::1:7d10]) by smtp.gmail.com with ESMTPSA id l17sm12141256qkk.22.2020.01.17.08.53.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Jan 2020 08:53:14 -0800 (PST) Date: Fri, 17 Jan 2020 08:53:11 -0800 From: Tejun Heo To: Christian Brauner Cc: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, Ingo Molnar , Oleg Nesterov , Johannes Weiner , Li Zefan , Peter Zijlstra , cgroups@vger.kernel.org Subject: Re: [PATCH v2 2/3] clone3: allow spawning processes into cgroups Message-ID: <20200117165311.GH2677547@devbig004.ftw2.facebook.com> References: <20191223061504.28716-1-christian.brauner@ubuntu.com> <20191223061504.28716-3-christian.brauner@ubuntu.com> <20200107163204.GB2677547@devbig004.ftw2.facebook.com> <20200108180906.l4mvtdmh7nm2z7sc@wittgenstein> <20200116122944.nj3e66eusxu6sb44@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200116122944.nj3e66eusxu6sb44@wittgenstein> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, Christian. Sorry about late reply. On Thu, Jan 16, 2020 at 01:29:44PM +0100, Christian Brauner wrote: > Could it be that you misread cgroup_attach_permissions()? Because it > does check for write permissions on the destination cgroup.procs file. > That's why I've added the cgroup_get_from_file() helper. :) See: > > static int cgroup_attach_permissions(struct cgroup *src_cgrp, > struct cgroup *dst_cgrp, > struct super_block *sb, bool thread) > { > int ret = 0; > > ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb); > if (ret) > return ret; So, if you look at cgroup_procs_write_permission(), it's only checking the write perm of the common ancestor, not the destination because it assumes that the destination is already checked by the vfs layer, and we need to check both. Thanks. -- tejun