cgroup: Add generic cgroup subsystem permission checks. Rather than using explicit euid == 0 checks when trying to move tasks into a cgroup via CFS, move permission checks into each specific cgroup subsystem. If a subsystem does not specify a 'can_attach' handler, then we fall back to doing our checks the old way. This way non-root processes can add arbitrary processes to a cgroup if all the registered subsystems on that cgroup agree. Also change explicit euid == 0 check to CAP_SYS_ADMIN Signed-off-by: San Mehat <san@google.com>

commit: 1d38bc7d0523af2233b4280e2aeab34c6a076665 [log] [tgz]
author: San Mehat <san@google.com> Thu May 21 14:10:06 2009 -0700
committer: Colin Cross <ccross@android.com> Tue Jun 14 09:09:13 2011 -0700
tree: 16c8c61cd13cc2e0d4fd879cc0cd87c893e867d6
parent: 22e9cd9dc9b51f5ad96588ecbfde5f3221e0e6dd [diff] [blame]
diff --git a/kernel/cpuset.c b/kernel/cpuset.c
index 9c9b754..a1df487 100644
--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c

@@ -1373,6 +1373,13 @@
 {
 	struct cpuset *cs = cgroup_cs(cont);
 
+	if ((current != task) && (!capable(CAP_SYS_ADMIN))) {
+		const struct cred *cred = current_cred(), *tcred;
+
+		if (cred->euid != tcred->uid && cred->euid != tcred->suid)
+			return -EPERM;
+	}
+ 
 	if (cpumask_empty(cs->cpus_allowed) || nodes_empty(cs->mems_allowed))
 		return -ENOSPC;
commit	1d38bc7d0523af2233b4280e2aeab34c6a076665	[log] [tgz]
author	San Mehat <san@google.com>	Thu May 21 14:10:06 2009 -0700
committer	Colin Cross <ccross@android.com>	Tue Jun 14 09:09:13 2011 -0700
tree	16c8c61cd13cc2e0d4fd879cc0cd87c893e867d6
parent	22e9cd9dc9b51f5ad96588ecbfde5f3221e0e6dd [diff] [blame]