On Wed, Oct 23, 2013 at 12:41:30AM +0000, Serge E. Hallyn wrote: > Quoting Tejun Heo (t...@kernel.org): > > On Tue, Jul 23, 2013 at 2:38 PM, Serge Hallyn <serge.hal...@ubuntu.com> > > wrote: > > > This doesn't delegate it into the container. It allows me, on the host, > > > to set the cgroup for a container. > > > > Hmmm? I'm a bit confused. Isn't the description saying that the patch > > allows pseudo-root in userns to change cgroup membership even if it > > isn't actually root? > > > > Besides, I find the whole check rather bogus and would actually much > > prefer just nuking the check and just follow the standard permission > > checks. > > Can we please nuke it like this then? > > From b840083ec8fa1f0645ae925c79db3dc51edd019c Mon Sep 17 00:00:00 2001 > From: Serge Hallyn <serge.hal...@ubuntu.com> > Date: Wed, 23 Oct 2013 01:34:00 +0200 > Subject: [PATCH 1/1] device_cgroup: remove can_attach > > It is really only wanting to duplicate a check which is already done by the > cgroup subsystem. > > With this patch, user jdoe still cannot move pid 1 into a devices cgroup > he owns, but now he can move his own other tasks into devices cgroups. > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> > Cc: Aristeu Rozanski <a...@redhat.com> > Cc: Tejun Heo <t...@kernel.org>
Applied to cgroup/for-3.13. Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
