aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/cgroup.h4
-rw-r--r--kernel/cgroup.c11
-rw-r--r--kernel/ns_cgroup.c14
3 files changed, 12 insertions, 17 deletions
diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index bb8feb9feccd..788c4964c142 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -348,8 +348,8 @@ int cgroup_path(const struct cgroup *cgrp, char *buf, int buflen);
348 348
349int cgroup_task_count(const struct cgroup *cgrp); 349int cgroup_task_count(const struct cgroup *cgrp);
350 350
351/* Return true if the cgroup is a descendant of the current cgroup */ 351/* Return true if cgrp is a descendant of the task's cgroup */
352int cgroup_is_descendant(const struct cgroup *cgrp); 352int cgroup_is_descendant(const struct cgroup *cgrp, struct task_struct *task);
353 353
354/* Control Group subsystem type. See Documentation/cgroups.txt for details */ 354/* Control Group subsystem type. See Documentation/cgroups.txt for details */
355 355
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index c500ca7239b2..27792bcb0758 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -3084,18 +3084,19 @@ int cgroup_clone(struct task_struct *tsk, struct cgroup_subsys *subsys,
3084} 3084}
3085 3085
3086/** 3086/**
3087 * cgroup_is_descendant - see if @cgrp is a descendant of current task's cgrp 3087 * cgroup_is_descendant - see if @cgrp is a descendant of @task's cgrp
3088 * @cgrp: the cgroup in question 3088 * @cgrp: the cgroup in question
3089 * @task: the task in question
3089 * 3090 *
3090 * See if @cgrp is a descendant of the current task's cgroup in 3091 * See if @cgrp is a descendant of @task's cgroup in the appropriate
3091 * the appropriate hierarchy. 3092 * hierarchy.
3092 * 3093 *
3093 * If we are sending in dummytop, then presumably we are creating 3094 * If we are sending in dummytop, then presumably we are creating
3094 * the top cgroup in the subsystem. 3095 * the top cgroup in the subsystem.
3095 * 3096 *
3096 * Called only by the ns (nsproxy) cgroup. 3097 * Called only by the ns (nsproxy) cgroup.
3097 */ 3098 */
3098int cgroup_is_descendant(const struct cgroup *cgrp) 3099int cgroup_is_descendant(const struct cgroup *cgrp, struct task_struct *task)
3099{ 3100{
3100 int ret; 3101 int ret;
3101 struct cgroup *target; 3102 struct cgroup *target;
@@ -3105,7 +3106,7 @@ int cgroup_is_descendant(const struct cgroup *cgrp)
3105 return 1; 3106 return 1;
3106 3107
3107 get_first_subsys(cgrp, NULL, &subsys_id); 3108 get_first_subsys(cgrp, NULL, &subsys_id);
3108 target = task_cgroup(current, subsys_id); 3109 target = task_cgroup(task, subsys_id);
3109 while (cgrp != target && cgrp!= cgrp->top_cgroup) 3110 while (cgrp != target && cgrp!= cgrp->top_cgroup)
3110 cgrp = cgrp->parent; 3111 cgrp = cgrp->parent;
3111 ret = (cgrp == target); 3112 ret = (cgrp == target);
diff --git a/kernel/ns_cgroup.c b/kernel/ns_cgroup.c
index 78bc3fdac0d2..5aa854f9e5ae 100644
--- a/kernel/ns_cgroup.c
+++ b/kernel/ns_cgroup.c
@@ -34,7 +34,7 @@ int ns_cgroup_clone(struct task_struct *task, struct pid *pid)
34 34
35/* 35/*
36 * Rules: 36 * Rules:
37 * 1. you can only enter a cgroup which is a child of your current 37 * 1. you can only enter a cgroup which is a descendant of your current
38 * cgroup 38 * cgroup
39 * 2. you can only place another process into a cgroup if 39 * 2. you can only place another process into a cgroup if
40 * a. you have CAP_SYS_ADMIN 40 * a. you have CAP_SYS_ADMIN
@@ -45,21 +45,15 @@ int ns_cgroup_clone(struct task_struct *task, struct pid *pid)
45static int ns_can_attach(struct cgroup_subsys *ss, 45static int ns_can_attach(struct cgroup_subsys *ss,
46 struct cgroup *new_cgroup, struct task_struct *task) 46 struct cgroup *new_cgroup, struct task_struct *task)
47{ 47{
48 struct cgroup *orig;
49
50 if (current != task) { 48 if (current != task) {
51 if (!capable(CAP_SYS_ADMIN)) 49 if (!capable(CAP_SYS_ADMIN))
52 return -EPERM; 50 return -EPERM;
53 51
54 if (!cgroup_is_descendant(new_cgroup)) 52 if (!cgroup_is_descendant(new_cgroup, current))
55 return -EPERM; 53 return -EPERM;
56 } 54 }
57 55
58 if (atomic_read(&new_cgroup->count) != 0) 56 if (!cgroup_is_descendant(new_cgroup, task))
59 return -EPERM;
60
61 orig = task_cgroup(task, ns_subsys_id);
62 if (orig && orig != new_cgroup->parent)
63 return -EPERM; 57 return -EPERM;
64 58
65 return 0; 59 return 0;
@@ -77,7 +71,7 @@ static struct cgroup_subsys_state *ns_create(struct cgroup_subsys *ss,
77 71
78 if (!capable(CAP_SYS_ADMIN)) 72 if (!capable(CAP_SYS_ADMIN))
79 return ERR_PTR(-EPERM); 73 return ERR_PTR(-EPERM);
80 if (!cgroup_is_descendant(cgroup)) 74 if (!cgroup_is_descendant(cgroup, current))
81 return ERR_PTR(-EPERM); 75 return ERR_PTR(-EPERM);
82 76
83 ns_cgroup = kzalloc(sizeof(*ns_cgroup), GFP_KERNEL); 77 ns_cgroup = kzalloc(sizeof(*ns_cgroup), GFP_KERNEL);