mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-15 17:43:59 +00:00
be367d0992
Alter the ss->can_attach and ss->attach functions to be able to deal with a whole threadgroup at a time, for use in cgroup_attach_proc. (This is a pre-patch to cgroup-procs-writable.patch.) Currently, new mode of the attach function can only tell the subsystem about the old cgroup of the threadgroup leader. No subsystem currently needs that information for each thread that's being moved, but if one were to be added (for example, one that counts tasks within a group) this bit would need to be reworked a bit to tell the subsystem the right information. [hidave.darkstar@gmail.com: fix build] Signed-off-by: Ben Blum <bblum@google.com> Signed-off-by: Paul Menage <menage@google.com> Acked-by: Li Zefan <lizf@cn.fujitsu.com> Reviewed-by: Matt Helsley <matthltc@us.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Ingo Molnar <mingo@elte.hu> Cc: Dave Young <hidave.darkstar@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
111 lines
2.5 KiB
C
111 lines
2.5 KiB
C
/*
|
|
* ns_cgroup.c - namespace cgroup subsystem
|
|
*
|
|
* Copyright 2006, 2007 IBM Corp
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/cgroup.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/proc_fs.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/nsproxy.h>
|
|
|
|
struct ns_cgroup {
|
|
struct cgroup_subsys_state css;
|
|
};
|
|
|
|
struct cgroup_subsys ns_subsys;
|
|
|
|
static inline struct ns_cgroup *cgroup_to_ns(
|
|
struct cgroup *cgroup)
|
|
{
|
|
return container_of(cgroup_subsys_state(cgroup, ns_subsys_id),
|
|
struct ns_cgroup, css);
|
|
}
|
|
|
|
int ns_cgroup_clone(struct task_struct *task, struct pid *pid)
|
|
{
|
|
char name[PROC_NUMBUF];
|
|
|
|
snprintf(name, PROC_NUMBUF, "%d", pid_vnr(pid));
|
|
return cgroup_clone(task, &ns_subsys, name);
|
|
}
|
|
|
|
/*
|
|
* Rules:
|
|
* 1. you can only enter a cgroup which is a descendant of your current
|
|
* cgroup
|
|
* 2. you can only place another process into a cgroup if
|
|
* a. you have CAP_SYS_ADMIN
|
|
* b. your cgroup is an ancestor of task's destination cgroup
|
|
* (hence either you are in the same cgroup as task, or in an
|
|
* ancestor cgroup thereof)
|
|
*/
|
|
static int ns_can_attach(struct cgroup_subsys *ss, struct cgroup *new_cgroup,
|
|
struct task_struct *task, bool threadgroup)
|
|
{
|
|
if (current != task) {
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
return -EPERM;
|
|
|
|
if (!cgroup_is_descendant(new_cgroup, current))
|
|
return -EPERM;
|
|
}
|
|
|
|
if (!cgroup_is_descendant(new_cgroup, task))
|
|
return -EPERM;
|
|
|
|
if (threadgroup) {
|
|
struct task_struct *c;
|
|
rcu_read_lock();
|
|
list_for_each_entry_rcu(c, &task->thread_group, thread_group) {
|
|
if (!cgroup_is_descendant(new_cgroup, c)) {
|
|
rcu_read_unlock();
|
|
return -EPERM;
|
|
}
|
|
}
|
|
rcu_read_unlock();
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Rules: you can only create a cgroup if
|
|
* 1. you are capable(CAP_SYS_ADMIN)
|
|
* 2. the target cgroup is a descendant of your own cgroup
|
|
*/
|
|
static struct cgroup_subsys_state *ns_create(struct cgroup_subsys *ss,
|
|
struct cgroup *cgroup)
|
|
{
|
|
struct ns_cgroup *ns_cgroup;
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
return ERR_PTR(-EPERM);
|
|
if (!cgroup_is_descendant(cgroup, current))
|
|
return ERR_PTR(-EPERM);
|
|
|
|
ns_cgroup = kzalloc(sizeof(*ns_cgroup), GFP_KERNEL);
|
|
if (!ns_cgroup)
|
|
return ERR_PTR(-ENOMEM);
|
|
return &ns_cgroup->css;
|
|
}
|
|
|
|
static void ns_destroy(struct cgroup_subsys *ss,
|
|
struct cgroup *cgroup)
|
|
{
|
|
struct ns_cgroup *ns_cgroup;
|
|
|
|
ns_cgroup = cgroup_to_ns(cgroup);
|
|
kfree(ns_cgroup);
|
|
}
|
|
|
|
struct cgroup_subsys ns_subsys = {
|
|
.name = "ns",
|
|
.can_attach = ns_can_attach,
|
|
.create = ns_create,
|
|
.destroy = ns_destroy,
|
|
.subsys_id = ns_subsys_id,
|
|
};
|