diff options
| author | Grzegorz Nosek <root@localdomain.pl> | 2009-04-02 19:57:23 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-04-02 22:04:53 -0400 |
| commit | 313e924c0852943e67335fad9d2608701f0dfe8e (patch) | |
| tree | fa4c3f65a7ed6edea52ae78b012138ebab1420c3 /kernel/ns_cgroup.c | |
| parent | d20a390a0ee2bf2f692c539c6ce1c829e1080bb5 (diff) | |
cgroups: relax ns_can_attach checks to allow attaching to grandchild cgroups
The ns_proxy cgroup allows moving processes to child cgroups only one
level deep at a time. This commit relaxes this restriction and makes it
possible to attach tasks directly to grandchild cgroups, e.g.:
($pid is in the root cgroup)
echo $pid > /cgroup/CG1/CG2/tasks
Previously this operation would fail with -EPERM and would have to be
performed as two steps:
echo $pid > /cgroup/CG1/tasks
echo $pid > /cgroup/CG1/CG2/tasks
Also, the target cgroup no longer needs to be empty to move a task there.
Signed-off-by: Grzegorz Nosek <root@localdomain.pl>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Reviewed-by: Li Zefan <lizf@cn.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel/ns_cgroup.c')
| -rw-r--r-- | kernel/ns_cgroup.c | 14 |
1 files changed, 4 insertions, 10 deletions
diff --git a/kernel/ns_cgroup.c b/kernel/ns_cgroup.c index 78bc3fdac0d2..5aa854f9e5ae 100644 --- a/kernel/ns_cgroup.c +++ b/kernel/ns_cgroup.c | |||
| @@ -34,7 +34,7 @@ int ns_cgroup_clone(struct task_struct *task, struct pid *pid) | |||
| 34 | 34 | ||
| 35 | /* | 35 | /* |
| 36 | * Rules: | 36 | * Rules: |
| 37 | * 1. you can only enter a cgroup which is a child of your current | 37 | * 1. you can only enter a cgroup which is a descendant of your current |
| 38 | * cgroup | 38 | * cgroup |
| 39 | * 2. you can only place another process into a cgroup if | 39 | * 2. you can only place another process into a cgroup if |
| 40 | * a. you have CAP_SYS_ADMIN | 40 | * a. you have CAP_SYS_ADMIN |
| @@ -45,21 +45,15 @@ int ns_cgroup_clone(struct task_struct *task, struct pid *pid) | |||
| 45 | static int ns_can_attach(struct cgroup_subsys *ss, | 45 | static int ns_can_attach(struct cgroup_subsys *ss, |
| 46 | struct cgroup *new_cgroup, struct task_struct *task) | 46 | struct cgroup *new_cgroup, struct task_struct *task) |
| 47 | { | 47 | { |
| 48 | struct cgroup *orig; | ||
| 49 | |||
| 50 | if (current != task) { | 48 | if (current != task) { |
| 51 | if (!capable(CAP_SYS_ADMIN)) | 49 | if (!capable(CAP_SYS_ADMIN)) |
| 52 | return -EPERM; | 50 | return -EPERM; |
| 53 | 51 | ||
| 54 | if (!cgroup_is_descendant(new_cgroup)) | 52 | if (!cgroup_is_descendant(new_cgroup, current)) |
| 55 | return -EPERM; | 53 | return -EPERM; |
| 56 | } | 54 | } |
| 57 | 55 | ||
| 58 | if (atomic_read(&new_cgroup->count) != 0) | 56 | if (!cgroup_is_descendant(new_cgroup, task)) |
| 59 | return -EPERM; | ||
| 60 | |||
| 61 | orig = task_cgroup(task, ns_subsys_id); | ||
| 62 | if (orig && orig != new_cgroup->parent) | ||
| 63 | return -EPERM; | 57 | return -EPERM; |
| 64 | 58 | ||
| 65 | return 0; | 59 | return 0; |
| @@ -77,7 +71,7 @@ static struct cgroup_subsys_state *ns_create(struct cgroup_subsys *ss, | |||
| 77 | 71 | ||
| 78 | if (!capable(CAP_SYS_ADMIN)) | 72 | if (!capable(CAP_SYS_ADMIN)) |
| 79 | return ERR_PTR(-EPERM); | 73 | return ERR_PTR(-EPERM); |
| 80 | if (!cgroup_is_descendant(cgroup)) | 74 | if (!cgroup_is_descendant(cgroup, current)) |
| 81 | return ERR_PTR(-EPERM); | 75 | return ERR_PTR(-EPERM); |
| 82 | 76 | ||
| 83 | ns_cgroup = kzalloc(sizeof(*ns_cgroup), GFP_KERNEL); | 77 | ns_cgroup = kzalloc(sizeof(*ns_cgroup), GFP_KERNEL); |