[systemd-devel] User sessions: limit the ability to migrate cgroups
alban.crequy at collabora.co.uk
Wed Aug 13 09:11:20 PDT 2014
On Wed, 13 Aug 2014 16:37:17 +0200
Lennart Poettering <lennart at poettering.net> wrote:
> On Thu, 07.08.14 15:19, Alban Crequy (alban.crequy at collabora.co.uk)
> > Hi,
> > Should unprivileged processes be allowed to change cgroup?
> Well, they shouldn#t do it. But I think it's OK as long as this is
> only done within the specific user's hierarchies.
> > As I understand it, it is not possible to block processes to
> > leave a cgroup, but only to block processes to enter a cgroup.
> > In the following example, session-c4.scope/tasks belongs to
> > root:root with -rw-r--r-- and user at 1000.service/tasks belongs to
> > user:user with -rw-r--r--.
> Yes, this is because systemd --user needs to be able to manage its own
> cgroup subtree, so we have to open this up for the user at 1000.service
> service, but keep it restricted otherwise...
It makes sense.
> > So processes can freely move from session-c4.scope to
> > user at 1000.service. But not in the other direction.
> > $ systemd-cgls
> > Working Directory /sys/fs/cgroup/systemd/user.slice/user-1000.slice:
> > ├─session-c4.scope
> > │ ├─713 sshd: user [priv]
> > │ ├─722 sshd: user at pts/2
> > │ ├─723 -bash
> > │ ├─732 systemd-cgls
> > │ └─733 pager
> > ├─user at 1000.service
> > │ ├─406 /lib/systemd/systemd --user
> > With user sessions managed by systemd, will it be possible to
> > restrict unprivileged users from migrating to other cgroups?
> Unlikely. Access control on Unix is generally bound to user IDs, not
> processes, and we really shouldn't start here with departing from
I tested SELinux and AppArmor to restrict /sys/fs/cgroup/.
SELinux didn't help because the cgroup file system does not support
extended attributes such as "security.selinux", but AppArmor was able
to block an application from changing cgroup.
More information about the systemd-devel