• Tejun Heo's avatar
    cgroup: drop the matching uid requirement on migration for cgroup v2 · 576dd464
    Tejun Heo authored
    Along with the write access to the cgroup.procs or tasks file, cgroup
    has required the writer's euid, unless root, to match [s]uid of the
    target process or task.  On cgroup v1, this is necessary because
    there's nothing preventing a delegatee from pulling in tasks or
    processes from all over the system.
    
    If a user has a cgroup subdirectory delegated to it, the user would
    have write access to the cgroup.procs or tasks file.  If there are no
    further checks than file write access check, the user would be able to
    pull processes from all over the system into its subhierarchy which is
    clearly not the intended behavior.  The matching [s]uid requirement
    partially prevents this problem by allowing a delegatee to pull in the
    processes that belongs to it.  This isn't a sufficient protection
    however, because a user would still be able to jump processes across
    two disjoint sub-hierarchies that has been delegated to them.
    
    cgroup v2 resolves the issue by requiring the writer to have access to
    the common ancestor of the cgroup.procs file of the source and target
    cgroups.  This confines each delegatee to their own sub-hierarchy
    proper and bases all permission decisions on the cgroup filesystem
    rather than having to pull in explicit uid matching.
    
    cgroup v2 has still been applying the matching [s]uid requirement just
    for historical reasons.  On cgroup2, the requirement doesn't serve any
    purpose while unnecessarily complicating the permission model.  Let's
    drop it.
    Signed-off-by: default avatarTejun Heo <tj@kernel.org>
    576dd464
cgroup.c 135 KB