Skip to content

Commit 726a499

Browse files
ebiedermhtejun
ebiederm
authored and
htejun
committed
cgroupns: Only allow creation of hierarchies in the initial cgroup namespace
Unprivileged users can't use hierarchies if they create them as they do not have privilieges to the root directory. Which means the only thing a hiearchy created by an unprivileged user is good for is expanding the number of cgroup links in every css_set, which is a DOS attack. We could allow hierarchies to be created in namespaces in the initial user namespace. Unfortunately there is only a single namespace for the names of heirarchies, so that is likely to create more confusion than not. So do the simple thing and restrict hiearchy creation to the initial cgroup namespace. Cc: stable@vger.kernel.org Fixes: a79a908 ("cgroup: introduce cgroup namespaces") Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Tejun Heo <tj@kernel.org>
1 parent eedd0f4 commit 726a499

File tree

1 file changed

+2
-6
lines changed

1 file changed

+2
-6
lines changed

kernel/cgroup.c

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2215,12 +2215,8 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
22152215
goto out_unlock;
22162216
}
22172217

2218-
/*
2219-
* We know this subsystem has not yet been bound. Users in a non-init
2220-
* user namespace may only mount hierarchies with no bound subsystems,
2221-
* i.e. 'none,name=user1'
2222-
*/
2223-
if (!opts.none && !capable(CAP_SYS_ADMIN)) {
2218+
/* Hierarchies may only be created in the initial cgroup namespace. */
2219+
if (ns != &init_cgroup_ns) {
22242220
ret = -EPERM;
22252221
goto out_unlock;
22262222
}

0 commit comments

Comments
 (0)