• Eric W. Biederman's avatar
    cgroupns: Only allow creation of hierarchies in the initial cgroup namespace · 726a4994
    Eric W. Biederman authored
    Unprivileged users can't use hierarchies if they create them as they do not
    have privilieges to the root directory.
    
    Which means the only thing a hiearchy created by an unprivileged user
    is good for is expanding the number of cgroup links in every css_set,
    which is a DOS attack.
    
    We could allow hierarchies to be created in namespaces in the initial
    user namespace.  Unfortunately there is only a single namespace for
    the names of heirarchies, so that is likely to create more confusion
    than not.
    
    So do the simple thing and restrict hiearchy creation to the initial
    cgroup namespace.
    
    Cc: stable@vger.kernel.org
    Fixes: a79a908f ("cgroup: introduce cgroup namespaces")
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: default avatarTejun Heo <tj@kernel.org>
    726a4994
cgroup.c 174 KB