linux/Documentation
Tejun Heo 576dd46450 cgroup: drop the matching uid requirement on migration for cgroup v2
Along with the write access to the cgroup.procs or tasks file, cgroup
has required the writer's euid, unless root, to match [s]uid of the
target process or task.  On cgroup v1, this is necessary because
there's nothing preventing a delegatee from pulling in tasks or
processes from all over the system.

If a user has a cgroup subdirectory delegated to it, the user would
have write access to the cgroup.procs or tasks file.  If there are no
further checks than file write access check, the user would be able to
pull processes from all over the system into its subhierarchy which is
clearly not the intended behavior.  The matching [s]uid requirement
partially prevents this problem by allowing a delegatee to pull in the
processes that belongs to it.  This isn't a sufficient protection
however, because a user would still be able to jump processes across
two disjoint sub-hierarchies that has been delegated to them.

cgroup v2 resolves the issue by requiring the writer to have access to
the common ancestor of the cgroup.procs file of the source and target
cgroups.  This confines each delegatee to their own sub-hierarchy
proper and bases all permission decisions on the cgroup filesystem
rather than having to pull in explicit uid matching.

cgroup v2 has still been applying the matching [s]uid requirement just
for historical reasons.  On cgroup2, the requirement doesn't serve any
purpose while unnecessarily complicating the permission model.  Let's
drop it.

Signed-off-by: Tejun Heo <tj@kernel.org>
2017-02-02 13:47:56 -05:00
..
ABI Merge branch 'x86-cache-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-12-22 09:25:45 -08:00
accounting tools: move accounting tool from Documentation 2016-09-23 13:07:15 -06:00
acpi ACPI material for v4.10-rc1 2016-12-13 11:06:21 -08:00
admin-guide ima: define a canonical binary_runtime_measurements list format 2016-12-20 09:48:45 -08:00
aoe
arm ARM: SoC platform updates for v4.10 2016-12-15 15:39:02 -08:00
arm64 arm64 updates for 4.9: 2016-10-03 08:58:35 -07:00
auxdisplay samples: move auxdisplay example code from Documentation 2016-09-23 11:52:32 -06:00
backlight
blackfin samples: move blackfin gptimers-example from Documentation 2016-10-10 07:12:02 -06:00
block blk-wbt: allow reset of default latency through sysfs 2016-11-28 10:27:03 -07:00
blockdev docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
bus-devices
cdrom
cgroup-v1 docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
cma
connector
console
core-api core-api: remove an unexpected unident 2016-12-01 10:46:01 -07:00
cpu-freq Documentation: intel_pstate: Document HWP energy/performance hints 2016-12-08 01:43:05 +01:00
cpuidle
cris
crypto This pull contains one set of changes: a conversion of the crypto DocBook 2016-12-17 16:00:34 -08:00
dev-tools Documentation/sparse: drop __CHECK_ENDIAN__ 2016-12-16 00:13:41 +02:00
device-mapper Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2016-12-14 11:12:25 -08:00
devicetree MMC core: 2016-12-22 10:13:04 -08:00
dmaengine dmaengine: Documentation: Fix typo in pxa_dma.txt 2016-11-14 08:14:24 +05:30
doc-guide docs-rst: parse-headers.pl: cleanup the documentation 2016-11-30 17:08:09 -07:00
DocBook crypto: doc - remove crypto API DocBook 2016-12-13 16:38:04 -07:00
driver-api edac.rst: move concepts dictionary from edac.h 2016-12-15 08:58:12 -02:00
driver-model devres: add devm_alloc_percpu() 2016-11-15 22:34:25 -05:00
early-userspace
EDID
extcon
fault-injection
fb
features 2nd round of ARC udpates for 4.10rc1 2016-12-23 10:22:47 -08:00
filesystems Merge uncontroversial parts of branch 'readlink' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs 2016-12-17 19:16:12 -08:00
firmware_class
fmc
fpga fpga: Clarify how write_init works streaming modes 2016-11-29 15:51:49 -06:00
frv docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
gpio Bulk GPIO changes for the v4.10 kernel cycle: 2016-12-13 07:54:57 -08:00
gpu Main pull request for drm for 4.10 kernel 2016-12-13 09:35:09 -08:00
hid Documentation: HID: Intel ISH HID document 2016-08-17 11:13:07 +02:00
hwmon hwmon updates for v4.10 2016-12-13 15:43:56 -08:00
i2c Merge branch 'i2c/for-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2016-12-15 12:56:35 -08:00
ia64 selftests: move ia64 tests from Documentation/ia64 2016-09-20 09:58:12 -06:00
ide
iio iio: Documentation: Correct the path used to create triggers. 2016-10-01 00:49:58 -06:00
infiniband IB/hfi1: Document new sysfs entries for hfi1 driver 2016-10-02 08:42:19 -04:00
input Input: ALPS - add V8 protocol documentation 2016-10-04 11:47:02 -07:00
ioctl doc: ioctl: Add some clarifications to botching-up-ioctls 2016-09-06 06:00:22 -06:00
isdn docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
kbuild Kconfig: Introduce the "imply" keyword 2016-11-16 09:26:33 +01:00
kdump Documentation: kdump: Add description of enable multi-cpus support 2016-09-20 18:02:54 -06:00
laptops platform/x86: thinkpad_acpi: Add support for X1 Yoga (2016) Tablet Mode 2016-12-13 09:29:06 -08:00
leds leds/leds-lp5523.txt: make documentation match reality 2016-11-22 12:07:02 +01:00
livepatch Documentation/livepatch: Fix stale link to gmame 2016-12-09 13:41:46 +01:00
locking locking/lglock: Remove lglock implementation 2016-09-22 15:25:56 +02:00
m68k docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
media Merge branch 'patchwork' into v4l_for_linus 2016-12-15 08:38:35 -02:00
memory-devices
metag
mic samples: move mic/mpssd example code from Documentation 2016-09-20 12:38:48 -06:00
mips
misc-devices samples: move misc-devices/mei example code from Documentation 2016-09-23 11:51:43 -06:00
mmc mmc: core: Extend sysfs with DSR register 2016-07-25 10:34:51 +02:00
mn10300
mtd
namespaces
netlabel
networking These are the documentation changes for 4.10. 2016-12-12 21:58:13 -08:00
nfc
nios2
nvdimm libnvdimm, btt: update the usage section in Documentation 2016-06-17 16:23:23 -07:00
nvmem
parisc
PCI PCI changes for the v4.9 merge window: 2016-10-07 11:46:37 -07:00
pcmcia tools: move pcmcia crc32hash tool from Documentation 2016-09-23 13:07:27 -06:00
perf perf: xgene: Add APM X-Gene SoC Performance Monitoring Unit driver 2016-09-15 11:20:55 -07:00
phy
platform
power Power management material for v4.10-rc1 2016-12-13 10:41:53 -08:00
powerpc powerpc updates for 4.9 2016-10-07 20:19:31 -07:00
pps
prctl selftests: move prctl tests from Documentation/prctl 2016-09-20 09:09:09 -06:00
process Doc: Correct typo, "Introdution" => "Introduction" 2016-12-01 10:44:08 -07:00
pti
ptp selftests: move ptp tests from Documentation/ptp 2016-09-20 09:54:38 -06:00
rapidio rapidio/documentation/mport_cdev: add missing parameter description 2016-09-01 17:52:02 -07:00
RCU Documentation/RCU: Fix minor typo 2016-11-14 10:39:48 -08:00
s390 s390/Documentation: improve sort command for trace buffer 2016-06-13 15:58:23 +02:00
scheduler docs/completion.txt: drop dangling reference to completions-design.txt 2016-11-16 16:27:50 -07:00
scsi Merge branch 'misc' into for-linus 2016-12-22 12:32:33 -08:00
security Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2016-12-14 13:57:44 -08:00
serial Documentation: rs485: Do not define manually the ioctl 2016-08-18 11:08:33 -06:00
sh
sound Merge remote-tracking branch 'sound/topic/restize-docs' into sound 2016-11-18 16:19:28 -07:00
sphinx docs: sphinx-extensions: make rstFlatTable work with docutils 0.13 2016-12-18 13:30:29 -07:00
sphinx-static This is the documentation update pull for the 4.9 merge window. 2016-10-04 13:54:07 -07:00
spi Doc: update 00-INDEX files to reflect the runnable code move 2016-10-10 07:12:09 -06:00
sysctl These are the documentation changes for 4.10. 2016-12-12 21:58:13 -08:00
target
thermal thermal: Add support for hardware-tracked trip points 2016-09-27 14:02:16 +08:00
timers Doc: update 00-INDEX files to reflect the runnable code move 2016-10-10 07:12:09 -06:00
trace This release has a few updates: 2016-12-15 13:49:34 -08:00
translations Documentation/sparse: drop __CHECK_ENDIAN__ 2016-12-16 00:13:41 +02:00
usb Documentation: tiny typo fix in usb/gadget_multi.txt 2016-06-23 08:09:10 -06:00
virtual KVM: hyperv: fix locking of struct kvm_hv fields 2016-12-16 17:53:38 +01:00
vm These are the documentation changes for 4.10. 2016-12-12 21:58:13 -08:00
w1
watchdog docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
wimax
x86 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-12-23 16:54:46 -08:00
xtensa xtensa: cleanup MMU setup and kernel layout macros 2016-07-24 06:33:58 +03:00
.gitignore Add .pyc files to .gitignore 2016-06-30 13:07:33 -06:00
00-INDEX edac: adjust docs location at MAINTAINERS and 00-INDEX 2016-12-15 08:57:16 -02:00
bcache.txt bcache: documentation formatting, edited for clarity, stripe alignment notes 2016-06-23 07:58:38 -06:00
bt8xxgpio.txt
btmrvl.txt
bus-virt-phys-mapping.txt
cachetlb.txt
cgroup-v2.txt cgroup: drop the matching uid requirement on migration for cgroup v2 2017-02-02 13:47:56 -05:00
Changes docs: add back 'Documentation/Changes' file (as symlink) 2016-12-14 16:30:12 -08:00
circular-buffers.txt Documentation: circular-buffers: use READ_ONCE() 2016-11-16 16:17:45 -07:00
clk.txt Documentation: clk: update file names containing referenced structures 2016-08-14 12:12:36 -06:00
CodingStyle doc: re-add CodingStyle and SubmittingPatches 2016-10-24 08:12:35 -02:00
conf.py docs-rst: doc-guide: split the kernel-documentation.rst contents 2016-11-19 10:22:04 -07:00
cpu-hotplug.txt Documentation: cpu-hotplug: Fix typos 2016-10-25 17:07:52 -06:00
cpu-load.txt
cputopology.txt topology/sysfs: provide drawer id and siblings attributes 2016-06-13 15:58:27 +02:00
crc32.txt
dcdbas.txt
debugging-modules.txt
debugging-via-ohci1394.txt
dell_rbu.txt
digsig.txt
DMA-API-HOWTO.txt Documentation: DMA-API-HOWTO: Fix a typo 2016-09-20 17:58:46 -06:00
DMA-API.txt dma-mapping: add dma_{map,unmap}_resource 2016-09-26 22:16:41 +05:30
DMA-attributes.txt dma-mapping: introduce the DMA_ATTR_NO_WARN attribute 2016-10-11 15:06:32 -07:00
dma-buf-sharing.txt
DMA-ISA-LPC.txt
docutils.conf doc-rst: add docutils config file 2016-08-14 11:52:40 -06:00
dontdiff Remove last traces of ikconfig.h 2016-12-14 10:54:28 +01:00
efi-stub.txt
eisa.txt
flexible-arrays.txt
futex-requeue-pi.txt
gcc-plugins.txt GCC plugin infrastructure 2016-06-07 22:57:10 +02:00
highuid.txt
hw_random.txt
hwspinlock.txt
index.rst crypto: doc - convert crypto API documentation to Sphinx 2016-12-13 16:37:54 -07:00
intel_txt.txt
Intel-IOMMU.txt
io_ordering.txt
io-mapping.txt
iostats.txt
IPMI.txt ipmi: Update documentation 2016-11-07 12:16:06 -06:00
IRQ-affinity.txt
IRQ-domain.txt
IRQ.txt
irqflags-tracing.txt
isa.txt
isapnp.txt
kernel-doc-nano-HOWTO.txt docs-rst: doc-guide: split the kernel-documentation.rst contents 2016-11-19 10:22:04 -07:00
kernel-per-CPU-kthreads.txt docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
kobject.txt
kprobes.txt Documentation: kprobes: Document jprobes stack copying limitations 2016-08-15 10:19:11 -06:00
kref.txt
kselftest.txt Doc: update kselftest.txt with details on how to run tests after install 2016-11-07 18:04:18 -07:00
ldm.txt
lockup-watchdogs.txt docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
logo.gif
logo.txt
lzo.txt
mailbox.txt
Makefile samples: move blackfin gptimers-example from Documentation 2016-10-10 07:12:02 -06:00
Makefile.sphinx docs-rst: fix media cleandocs target 2016-11-30 17:08:03 -07:00
md-cluster.txt
memory-barriers.txt locking/Documentation: Fix a typo of example result 2016-08-12 08:24:13 +02:00
memory-hotplug.txt docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
men-chameleon-bus.txt
nommu-mmap.txt
ntb.txt
numastat.txt
padata.txt
parport-lowlevel.txt
percpu-rw-semaphore.txt
phy.txt
pi-futex.txt
pinctrl.txt pinctrl: Flag strict is a field in struct pinmux_ops 2016-06-23 10:50:10 +02:00
pnp.txt
preempt-locking.txt
printk-formats.txt
pwm.txt
rbtree.txt
remoteproc.txt remoteproc: Split driver and consumer dereferencing 2016-10-02 22:50:21 -07:00
rfkill.txt docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
robust-futex-ABI.txt
robust-futexes.txt
rpmsg.txt
rtc.txt
SAK.txt
sgi-ioc4.txt
SM501.txt
smsc_ece1099.txt
static-keys.txt jump_labels: Allow array initialisers 2016-09-07 09:41:11 +01:00
SubmittingPatches doc: re-add CodingStyle and SubmittingPatches 2016-10-24 08:12:35 -02:00
svga.txt
sync_file.txt dma-buf: Rename struct fence to dma_fence 2016-10-25 14:40:39 +02:00
this_cpu_ops.txt
unaligned-memory-access.txt
unshare.txt
vfio-mediated-device.txt docs: Sample driver to demonstrate how to use Mediated device framework. 2016-11-17 09:18:44 -07:00
vfio.txt
video-output.txt
xillybus.txt
xz.txt
zorro.txt