[systemd-devel] User sessions: limit the ability to migrate cgroups

Alban Crequy alban.crequy at collabora.co.uk
Thu Aug 7 07:19:28 PDT 2014


Should unprivileged processes be allowed to change cgroup?

As I understand it, it is not possible to block processes to
leave a cgroup, but only to block processes to enter a cgroup.

In the following example, session-c4.scope/tasks belongs to root:root
with -rw-r--r-- and user at 1000.service/tasks belongs to user:user with

So processes can freely move from session-c4.scope to
user at 1000.service. But not in the other direction.

$ systemd-cgls
Working Directory /sys/fs/cgroup/systemd/user.slice/user-1000.slice:
│ ├─713 sshd: user [priv]  
│ ├─722 sshd: user at pts/2   
│ ├─723 -bash
│ ├─732 systemd-cgls
│ └─733 pager
├─user at 1000.service
│ ├─406 /lib/systemd/systemd --user

With user sessions managed by systemd, will it be possible to restrict
unprivileged users from migrating to other cgroups?

Best regards,

More information about the systemd-devel mailing list