• Tejun Heo's avatar
    cgroup: implement "nsdelegate" mount option · 5136f636
    Tejun Heo authored
    Currently, cgroup only supports delegation to !root users and cgroup
    namespaces don't get any special treatments.  This limits the
    usefulness of cgroup namespaces as they by themselves can't be safe
    delegation boundaries.  A process inside a cgroup can change the
    resource control knobs of the parent in the namespace root and may
    move processes in and out of the namespace if cgroups outside its
    namespace are visible somehow.
    
    This patch adds a new mount option "nsdelegate" which makes cgroup
    namespaces delegation boundaries.  If set, cgroup behaves as if write
    permission based delegation took place at namespace boundaries -
    writes to the resource control knobs from the namespace root are
    denied and migration crossing the namespace boundary aren't allowed
    from inside the namespace.
    
    This allows cgroup namespace to function as a delegation boundary by
    itself.
    
    v2: Silently ignore nsdelegate specified on !init mounts.
    Signed-off-by: default avatarTejun Heo <tj@kernel.org>
    Cc: Aravind Anbudurai <aru7@fb.com>
    Cc: Serge Hallyn <serge@hallyn.com>
    Cc: Eric Biederman <ebiederm@xmission.com>
    5136f636
cgroup-v2.txt 60.6 KB