[PATCH 4/4] The control group itself
xemul at openvz.org
Mon Jan 14 23:53:13 PST 2008
> Thanks for working on this, Pavel.
> My only question with this patch is - so if I create a devs
> cgroup which only has access to, say /dev/loop0 and /dev/tty3,
> and someone in that cgroup manages to create a new cgroup, the
> new cgroup will have all the default permissions again, rather
> than inherit the permissions from this cgroup, right?
Right. When you create a new cgroup you have an empty perms
set. Maybe it's worth inheriting the perms from the parent
container, but I think that empty set is better as you will
reconfigure it anyway.
>> +static ssize_t devs_write(struct cgroup *cont, struct cftype *cft,
>> + struct file *f, const char __user *ubuf,
>> + size_t nbytes, loff_t *pos)
>> + int err, all, chrdev;
>> + dev_t dev;
>> + char buf;
>> + struct devs_cgroup *devs;
>> + mode_t mode;
> (Of course this will require some privilege, i assume that's a detail
> you'll add next time around)
Hm... I though that privileges are governed at the cgroup level.... No?
More information about the Containers