[systemd-devel] User sessions: limit the ability to migrate cgroups
Alban Crequy
alban.crequy at collabora.co.uk
Thu Aug 7 07:19:28 PDT 2014
Hi,
Should unprivileged processes be allowed to change cgroup?
As I understand it, it is not possible to block processes to
leave a cgroup, but only to block processes to enter a cgroup.
In the following example, session-c4.scope/tasks belongs to root:root
with -rw-r--r-- and user at 1000.service/tasks belongs to user:user with
-rw-r--r--.
So processes can freely move from session-c4.scope to
user at 1000.service. But not in the other direction.
$ systemd-cgls
Working Directory /sys/fs/cgroup/systemd/user.slice/user-1000.slice:
├─session-c4.scope
│ ├─713 sshd: user [priv]
│ ├─722 sshd: user at pts/2
│ ├─723 -bash
│ ├─732 systemd-cgls
│ └─733 pager
├─user at 1000.service
│ ├─406 /lib/systemd/systemd --user
With user sessions managed by systemd, will it be possible to restrict
unprivileged users from migrating to other cgroups?
Best regards,
Alban
More information about the systemd-devel
mailing list