[0/4] Honor cgroup namespace when resolving cgroup id

Message ID	20220826165238.30915-1-mkoutny@suse.com (mailing list archive)
Headers	show Return-Path: <bpf-owner@kernel.org> From: =?utf-8?q?Michal_Koutn=C3=BD?= <mkoutny@suse.com> To: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org, bpf@vger.kernel.org Cc: Tejun Heo <tj@kernel.org>, Aditya Kali <adityakali@google.com>, Serge Hallyn <serge.hallyn@canonical.com>, Roman Gushchin <roman.gushchin@linux.dev>, Yonghong Song <yhs@fb.com>, Muneendra Kumar <muneendra.kumar@broadcom.com>, Yosry Ahmed <yosryahmed@google.com>, Hao Luo <haoluo@google.com> Subject: [PATCH 0/4] Honor cgroup namespace when resolving cgroup id Date: Fri, 26 Aug 2022 18:52:34 +0200 Message-Id: <20220826165238.30915-1-mkoutny@suse.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Honor cgroup namespace when resolving cgroup id \| expand [0/4] Honor cgroup namespace when resolving cgroup id [1/4] cgroup: Honor caller's cgroup NS when resolving path [2/4] cgroup: cgroup: Honor caller's cgroup NS when resolving cgroup id [3/4] cgroup: Homogenize cgroup_get_from_id() return value [4/4] cgroup/bpf: Honor cgroup NS in cgroup_iter for ancestors

Message ID

20220826165238.30915-1-mkoutny@suse.com (mailing list archive)

Headers

From: =?utf-8?q?Michal_Koutn=C3=BD?= <mkoutny@suse.com>
To: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
        bpf@vger.kernel.org
Cc: Tejun Heo <tj@kernel.org>, Aditya Kali <adityakali@google.com>,
        Serge Hallyn <serge.hallyn@canonical.com>,
        Roman Gushchin <roman.gushchin@linux.dev>,
        Yonghong Song <yhs@fb.com>,
        Muneendra Kumar <muneendra.kumar@broadcom.com>,
        Yosry Ahmed <yosryahmed@google.com>,
        Hao Luo <haoluo@google.com>
Subject: [PATCH 0/4] Honor cgroup namespace when resolving cgroup id
Date: Fri, 26 Aug 2022 18:52:34 +0200
Message-Id: <20220826165238.30915-1-mkoutny@suse.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Honor cgroup namespace when resolving cgroup id | expand

Message

Michal Koutný Aug. 26, 2022, 4:52 p.m. UTC

Cgroup id is becoming a new way for userspace how to refer to cgroups it
wants to act upon. As opposed to cgroupfs (paths, opened FDs), the
current approach does not reflect limited view by (non-init) cgroup
namespaces.

This patches don't aim to limit what a user can do (consider an uid=0 in
mere cgroup namespace) but to provide consistent view within a
namespace.

The series is based on bpf-next with the new cgroup_iter. I've only
boot-tested it (especially I didn't run the BPF selftest).

Michal Koutný (4):
  cgroup: Honor caller's cgroup NS when resolving path
  cgroup: cgroup: Honor caller's cgroup NS when resolving cgroup id
  cgroup: Homogenize cgroup_get_from_id() return value
  cgroup/bpf: Honor cgroup NS in cgroup_iter for ancestors

 block/blk-cgroup-fc-appid.c |  4 +--
 include/linux/cgroup.h      |  8 +++---
 kernel/bpf/cgroup_iter.c    |  9 ++++---
 kernel/cgroup/cgroup.c      | 53 ++++++++++++++++++++++++++++---------
 mm/memcontrol.c             |  4 +--
 5 files changed, 54 insertions(+), 24 deletions(-)


base-commit: 343949e10798a52c6d6a14effc962e010ed471ae

Comments

Tejun Heo Aug. 26, 2022, 8:59 p.m. UTC | #1

On Fri, Aug 26, 2022 at 06:52:34PM +0200, Michal Koutný wrote:
> Cgroup id is becoming a new way for userspace how to refer to cgroups it
> wants to act upon. As opposed to cgroupfs (paths, opened FDs), the
> current approach does not reflect limited view by (non-init) cgroup
> namespaces.
> 
> This patches don't aim to limit what a user can do (consider an uid=0 in
> mere cgroup namespace) but to provide consistent view within a
> namespace.

Applied 1-3 to cgroup/for-6.1. The branch will be stable, so please feel
free to pull from bpf/for-next.

Thanks.

Tejun Heo Aug. 26, 2022, 9:08 p.m. UTC | #2

Hello,

On Fri, Aug 26, 2022 at 06:52:34PM +0200, Michal Koutný wrote:
> Cgroup id is becoming a new way for userspace how to refer to cgroups it
> wants to act upon. As opposed to cgroupfs (paths, opened FDs), the
> current approach does not reflect limited view by (non-init) cgroup
> namespaces.

Looking at the code, I'm not quite sure we're actually plugging all holes in
terms of lookup. I think cgroup_get_from_path() would allow walking up past
the ns boundary. We aren't using kernfs ns support and I don't see anything
preventing ..'ing past the boundary.

> This patches don't aim to limit what a user can do (consider an uid=0 in
> mere cgroup namespace) but to provide consistent view within a
> namespace.

Considering userns and the fact that we try to isolate two separate sub
hierarchies delegated to the same UID, I think we'd have to tighten down on
the behaviors so that visiblity scope matches the permission scope.

Thanks.