diff options
-rw-r--r-- | include/linux/cgroup.h | 4 | ||||
-rw-r--r-- | kernel/cgroup.c | 11 | ||||
-rw-r--r-- | kernel/ns_cgroup.c | 14 |
3 files changed, 12 insertions, 17 deletions
diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h index bb8feb9feccd..788c4964c142 100644 --- a/include/linux/cgroup.h +++ b/include/linux/cgroup.h | |||
@@ -348,8 +348,8 @@ int cgroup_path(const struct cgroup *cgrp, char *buf, int buflen); | |||
348 | 348 | ||
349 | int cgroup_task_count(const struct cgroup *cgrp); | 349 | int cgroup_task_count(const struct cgroup *cgrp); |
350 | 350 | ||
351 | /* Return true if the cgroup is a descendant of the current cgroup */ | 351 | /* Return true if cgrp is a descendant of the task's cgroup */ |
352 | int cgroup_is_descendant(const struct cgroup *cgrp); | 352 | int cgroup_is_descendant(const struct cgroup *cgrp, struct task_struct *task); |
353 | 353 | ||
354 | /* Control Group subsystem type. See Documentation/cgroups.txt for details */ | 354 | /* Control Group subsystem type. See Documentation/cgroups.txt for details */ |
355 | 355 | ||
diff --git a/kernel/cgroup.c b/kernel/cgroup.c index c500ca7239b2..27792bcb0758 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c | |||
@@ -3084,18 +3084,19 @@ int cgroup_clone(struct task_struct *tsk, struct cgroup_subsys *subsys, | |||
3084 | } | 3084 | } |
3085 | 3085 | ||
3086 | /** | 3086 | /** |
3087 | * cgroup_is_descendant - see if @cgrp is a descendant of current task's cgrp | 3087 | * cgroup_is_descendant - see if @cgrp is a descendant of @task's cgrp |
3088 | * @cgrp: the cgroup in question | 3088 | * @cgrp: the cgroup in question |
3089 | * @task: the task in question | ||
3089 | * | 3090 | * |
3090 | * See if @cgrp is a descendant of the current task's cgroup in | 3091 | * See if @cgrp is a descendant of @task's cgroup in the appropriate |
3091 | * the appropriate hierarchy. | 3092 | * hierarchy. |
3092 | * | 3093 | * |
3093 | * If we are sending in dummytop, then presumably we are creating | 3094 | * If we are sending in dummytop, then presumably we are creating |
3094 | * the top cgroup in the subsystem. | 3095 | * the top cgroup in the subsystem. |
3095 | * | 3096 | * |
3096 | * Called only by the ns (nsproxy) cgroup. | 3097 | * Called only by the ns (nsproxy) cgroup. |
3097 | */ | 3098 | */ |
3098 | int cgroup_is_descendant(const struct cgroup *cgrp) | 3099 | int cgroup_is_descendant(const struct cgroup *cgrp, struct task_struct *task) |
3099 | { | 3100 | { |
3100 | int ret; | 3101 | int ret; |
3101 | struct cgroup *target; | 3102 | struct cgroup *target; |
@@ -3105,7 +3106,7 @@ int cgroup_is_descendant(const struct cgroup *cgrp) | |||
3105 | return 1; | 3106 | return 1; |
3106 | 3107 | ||
3107 | get_first_subsys(cgrp, NULL, &subsys_id); | 3108 | get_first_subsys(cgrp, NULL, &subsys_id); |
3108 | target = task_cgroup(current, subsys_id); | 3109 | target = task_cgroup(task, subsys_id); |
3109 | while (cgrp != target && cgrp!= cgrp->top_cgroup) | 3110 | while (cgrp != target && cgrp!= cgrp->top_cgroup) |
3110 | cgrp = cgrp->parent; | 3111 | cgrp = cgrp->parent; |
3111 | ret = (cgrp == target); | 3112 | ret = (cgrp == target); |
diff --git a/kernel/ns_cgroup.c b/kernel/ns_cgroup.c index 78bc3fdac0d2..5aa854f9e5ae 100644 --- a/kernel/ns_cgroup.c +++ b/kernel/ns_cgroup.c | |||
@@ -34,7 +34,7 @@ int ns_cgroup_clone(struct task_struct *task, struct pid *pid) | |||
34 | 34 | ||
35 | /* | 35 | /* |
36 | * Rules: | 36 | * Rules: |
37 | * 1. you can only enter a cgroup which is a child of your current | 37 | * 1. you can only enter a cgroup which is a descendant of your current |
38 | * cgroup | 38 | * cgroup |
39 | * 2. you can only place another process into a cgroup if | 39 | * 2. you can only place another process into a cgroup if |
40 | * a. you have CAP_SYS_ADMIN | 40 | * a. you have CAP_SYS_ADMIN |
@@ -45,21 +45,15 @@ int ns_cgroup_clone(struct task_struct *task, struct pid *pid) | |||
45 | static int ns_can_attach(struct cgroup_subsys *ss, | 45 | static int ns_can_attach(struct cgroup_subsys *ss, |
46 | struct cgroup *new_cgroup, struct task_struct *task) | 46 | struct cgroup *new_cgroup, struct task_struct *task) |
47 | { | 47 | { |
48 | struct cgroup *orig; | ||
49 | |||
50 | if (current != task) { | 48 | if (current != task) { |
51 | if (!capable(CAP_SYS_ADMIN)) | 49 | if (!capable(CAP_SYS_ADMIN)) |
52 | return -EPERM; | 50 | return -EPERM; |
53 | 51 | ||
54 | if (!cgroup_is_descendant(new_cgroup)) | 52 | if (!cgroup_is_descendant(new_cgroup, current)) |
55 | return -EPERM; | 53 | return -EPERM; |
56 | } | 54 | } |
57 | 55 | ||
58 | if (atomic_read(&new_cgroup->count) != 0) | 56 | if (!cgroup_is_descendant(new_cgroup, task)) |
59 | return -EPERM; | ||
60 | |||
61 | orig = task_cgroup(task, ns_subsys_id); | ||
62 | if (orig && orig != new_cgroup->parent) | ||
63 | return -EPERM; | 57 | return -EPERM; |
64 | 58 | ||
65 | return 0; | 59 | return 0; |
@@ -77,7 +71,7 @@ static struct cgroup_subsys_state *ns_create(struct cgroup_subsys *ss, | |||
77 | 71 | ||
78 | if (!capable(CAP_SYS_ADMIN)) | 72 | if (!capable(CAP_SYS_ADMIN)) |
79 | return ERR_PTR(-EPERM); | 73 | return ERR_PTR(-EPERM); |
80 | if (!cgroup_is_descendant(cgroup)) | 74 | if (!cgroup_is_descendant(cgroup, current)) |
81 | return ERR_PTR(-EPERM); | 75 | return ERR_PTR(-EPERM); |
82 | 76 | ||
83 | ns_cgroup = kzalloc(sizeof(*ns_cgroup), GFP_KERNEL); | 77 | ns_cgroup = kzalloc(sizeof(*ns_cgroup), GFP_KERNEL); |