DL-Mirrors/kernel-tenderloin-3.0
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cgroup: Add generic cgroup subsystem permission checks.

Browse Source 
Rather than using explicit euid == 0 checks when trying to move
tasks into a cgroup via CFS, move permission checks into each
specific cgroup subsystem. If a subsystem does not specify a
'can_attach' handler, then we fall back to doing our checks the old way.

    This way non-root processes can add arbitrary processes to
a cgroup if all the registered subsystems on that cgroup agree.

    Also change explicit euid == 0 check to CAP_SYS_ADMIN

Signed-off-by: San Mehat <san@google.com>
This commit is contained in:
San Mehat
2009-05-21 14:10:06 -07:00
committed by Colin Cross
parent 22e9cd9dc9
commit 1d38bc7d05
4 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
kernel/sched.c
View File

@@ -8803,6 +8803,15 @@ cpu_cgroup_destroy(struct cgroup_subsys *ss, struct cgroup *cgrp)
static int
cpu_cgroup_can_attach_task(struct cgroup *cgrp, struct task_struct *tsk)
{
if ((current != tsk) && (!capable(CAP_SYS_NICE))) {
const struct cred *cred = current_cred(), *tcred;
tcred = __task_cred(tsk);
if (cred->euid != tcred->uid && cred->euid != tcred->suid)
return -EPERM;
}
#ifdef CONFIG_RT_GROUP_SCHED
if (!sched_rt_can_attach(cgroup_tg(cgrp), tsk))
return -EINVAL;