cgroup: drop the matching uid requirement on migration for cgroup v2

Along with the write access to the cgroup.procs or tasks file, cgroup has required the writer's euid, unless root, to match [s]uid of the target process or task. On cgroup v1, this is necessary because there's nothing preventing a delegatee from pulling in tasks or processes from all over the system. If a user has a cgroup subdirectory delegated to it, the user would have write access to the cgroup.procs or tasks file. If there are no further checks than file write access check, the user would be able to pull processes from all over the system into its subhierarchy which is clearly not the intended behavior. The matching [s]uid requirement partially prevents this problem by allowing a delegatee to pull in the processes that belongs to it. This isn't a sufficient protection however, because a user would still be able to jump processes across two disjoint sub-hierarchies that has been delegated to them. cgroup v2 resolves the issue by requiring the writer to have access to the common ancestor of the cgroup.procs file of the source and target cgroups. This confines each delegatee to their own sub-hierarchy proper and bases all permission decisions on the cgroup filesystem rather than having to pull in explicit uid matching. cgroup v2 has still been applying the matching [s]uid requirement just for historical reasons. On cgroup2, the requirement doesn't serve any purpose while unnecessarily complicating the permission model. Let's drop it. Signed-off-by: Tejun Heo <tj@kernel.org>
author: Tejun Heo <tj@kernel.org> 2017-01-20 11:29:54 -0500
committer: Tejun Heo <tj@kernel.org> 2017-02-02 13:47:56 -0500
commit: 576dd464505fc53d501bb94569db76f220104d28 (patch)
tree: d0338eb91d9d968c33559eda8111f4483ade6eb4 /Documentation/cgroup-v2.txt
parent: 968ebff1efde6948564308836ecf1ef57de4e106 (diff)
1 files changed, 5 insertions, 7 deletions
diff --git a/Documentation/cgroup-v2.txt b/Documentation/cgroup-v2.txt
index 227ce4883720..1d101423ca92 100644
--- a/Documentation/cgroup-v2.txt
+++ b/Documentation/cgroup-v2.txt
@@ -332,14 +332,12 @@ a process with a non-root euid to migrate a target process into a
 cgroup by writing its PID to the "cgroup.procs" file, the following
 conditions must be met.
- The writer's euid must match either uid or suid of the target process.
 - The writer must have write access to the "cgroup.procs" file.
 - The writer must have write access to the "cgroup.procs" file of the
  common ancestor of the source and destination cgroups.
-The above three constraints ensure that while a delegatee may migrate
+The above two constraints ensure that while a delegatee may migrate
 processes around freely in the delegated sub-hierarchy it can't pull
 in from or push out to outside the sub-hierarchy.
@@ -354,10 +352,10 @@ all processes under C0 and C1 belong to U0.
 Let's also say U0 wants to write the PID of a process which is
 currently in C10 into "C00/cgroup.procs".  U0 has write access to the
-file and uid match on the process; however, the common ancestor of the
+file; however, the common ancestor of the source cgroup C10 and the
-source cgroup C10 and the destination cgroup C00 is above the points
+destination cgroup C00 is above the points of delegation and U0 would
-of delegation and U0 would not have write access to its "cgroup.procs"
+not have write access to its "cgroup.procs" files and thus the write
-files and thus the write will be denied with -EACCES.
+will be denied with -EACCES.
 2-6. Guidelines
author	Tejun Heo <tj@kernel.org>	2017-01-20 11:29:54 -0500
committer	Tejun Heo <tj@kernel.org>	2017-02-02 13:47:56 -0500
commit	576dd464505fc53d501bb94569db76f220104d28 (patch)
tree	d0338eb91d9d968c33559eda8111f4483ade6eb4 /Documentation/cgroup-v2.txt
parent	968ebff1efde6948564308836ecf1ef57de4e106 (diff)

diff --git a/Documentation/cgroup-v2.txt b/Documentation/cgroup-v2.txt index 227ce4883720..1d101423ca92 100644 --- a/Documentation/cgroup-v2.txt +++ b/Documentation/cgroup-v2.txt
@@ -332,14 +332,12 @@ a process with a non-root euid to migrate a target process into a
332	cgroup by writing its PID to the "cgroup.procs" file, the following	332	cgroup by writing its PID to the "cgroup.procs" file, the following
333	conditions must be met.	333	conditions must be met.
334		334
335	- The writer's euid must match either uid or suid of the target process.
336
337	- The writer must have write access to the "cgroup.procs" file.	335	- The writer must have write access to the "cgroup.procs" file.
338		336
339	- The writer must have write access to the "cgroup.procs" file of the	337	- The writer must have write access to the "cgroup.procs" file of the
340	common ancestor of the source and destination cgroups.	338	common ancestor of the source and destination cgroups.
341		339
342	The above three constraints ensure that while a delegatee may migrate	340	The above two constraints ensure that while a delegatee may migrate
343	processes around freely in the delegated sub-hierarchy it can't pull	341	processes around freely in the delegated sub-hierarchy it can't pull
344	in from or push out to outside the sub-hierarchy.	342	in from or push out to outside the sub-hierarchy.
345		343
@@ -354,10 +352,10 @@ all processes under C0 and C1 belong to U0.
354		352
355	Let's also say U0 wants to write the PID of a process which is	353	Let's also say U0 wants to write the PID of a process which is
356	currently in C10 into "C00/cgroup.procs". U0 has write access to the	354	currently in C10 into "C00/cgroup.procs". U0 has write access to the
357	file and uid match on the process; however, the common ancestor of the	355	file; however, the common ancestor of the source cgroup C10 and the
358	source cgroup C10 and the destination cgroup C00 is above the points	356	destination cgroup C00 is above the points of delegation and U0 would
359	of delegation and U0 would not have write access to its "cgroup.procs"	357	not have write access to its "cgroup.procs" files and thus the write
360	files and thus the write will be denied with -EACCES.	358	will be denied with -EACCES.
361		359
362		360
363	2-6. Guidelines	361	2-6. Guidelines