• Tejun Heo's avatar
    cgroup: require write perm on common ancestor when moving processes on the default hierarchy · 187fe840
    Tejun Heo authored
    On traditional hierarchies, if a task has write access to "tasks" or
    "cgroup.procs" file of a cgroup and its euid agrees with the target,
    it can move the target to the cgroup; however, consider the following
    scenario.  The owner of each cgroup is in the parentheses.
    
     R (root) - 0 (root) - 00 (user1) - 000 (user1)
              |                       \ 001 (user1)
              \ 1 (root) - 10 (user1)
    
    The subtrees of 00 and 10 are delegated to user1; however, while both
    subtrees may belong to the same user, it is clear that the two
    subtrees are to be isolated - they're under completely separate
    resource limits imposed by 0 and 1, respectively.  Note that 0 and 1
    aren't strictly necessary but added to ease illustrating the issue.
    
    If user1 is allowed to move processes between the two subtrees, the
    intention of the hierarchy - keeping a given group of processes under
    a subtree with certain resource restrictions while delegating
    management of the subtree - can be circumvented by user1.
    
    This happens because migration permission check doesn't consider the
    hierarchical nature of cgroups.  To fix the issue, this patch adds an
    extra permission requirement when userland tries to migrate a process
    in the default hierarchy - the issuing task must have write access to
    the common ancestor of "cgroup.procs" file of the ancestor in addition
    to the destination's.
    
    Conceptually, the issuer must be able to move the target process from
    the source cgroup to the common ancestor of source and destination
    cgroups and then to the destination.  As long as delegation is done in
    a proper top-down way, this guarantees that a delegatee can't smuggle
    processes across disjoint delegation domains.
    
    The next patch will add documentation on the delegation model on the
    default hierarchy.
    
    v2: Fixed missing !ret test.  Spotted by Li Zefan.
    Signed-off-by: default avatarTejun Heo <tj@kernel.org>
    Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
    Cc: Li Zefan <lizefan@huawei.com>
    187fe840
cgroup.c 151 KB