[Devel] [PATCH rh7] cgroups: Drop virtualization code, v4
Vladimir Davydov
vdavydov at parallels.com
Thu May 7 03:01:03 PDT 2015
On Thu, May 07, 2015 at 12:12:37PM +0300, Cyrill Gorcunov wrote:
> On Thu, May 07, 2015 at 11:59:54AM +0300, Vladimir Davydov wrote:
> > > >
> > > > So we are not allowed to create new cgroup hierarchies from a container,
> > > > but we still can mount existing ones? If so, I think we should forbid
> > > > this either.
> > >
> > > Yes existing ones are not forbidden. I'm not sure though if we should
> > > not allow to reuse existing hierarchies. You have some secutiry scenario
> > > in your mind or mean to make everything as strict as possible until
> > > the reverse is not explicitly needed?
> >
> > If a container is able to mount real cgroup root, it can see how many
> > containers are running on the node and their parameters. Looks like a
> > sort of security issue to me.
>
> Yes, except one need to properly guess the mount options of cgroups.
> Still true, this is security problem.
>
> I think something like
>
> cgroup_mount
> ...
> #ifdef CONFIG_VE
> /*
> * Cgroups mounting from inside of VE is not allowed
> * until we get some iron prove that we are to.
> */
> if (!(flags & MS_KERNMOUNT) && !ve_is_super(get_exec_env())) {
> ret = -EACCES;
> goto out_err;
> }
> #endif
>
> right at the begginning of the cgroup_mount should help us. Looks good?
I don't think we need MS_KERNMOUNT check, otherwise looks good.
More information about the Devel
mailing list