Re: [PATCH] Documentation/cgroup-v2: warn about cgroup.kill / cgroup.freeze delegation

Next message: Krzysztof Kozlowski: "[PATCH v2] pinctrl: qcom: Make important drivers default"
Previous message: Crt Mori: "Re: [PATCH] iio: mlx90614: fix missing GPIO direction return value checks"
In reply to: Maoyi Xie: "[PATCH] Documentation/cgroup-v2: warn about cgroup.kill / cgroup.freeze delegation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tejun Heo

Date: Tue Apr 28 2026 - 13:01:50 EST

On Tue, Apr 28, 2026 at 03:22:51PM +0800, Maoyi Xie wrote:
> + A write to cgroup.freeze affects every process currently in the
> + cgroup or its descendants regardless of the writer's signal
> + authority over those processes. The file therefore acts as a
> + delegated stop knob: chowning it, or passing an open file
> + descriptor to it, grants the recipient unconditional freeze
> + authority over whatever lands in the subtree. Runtime authors
> + should not delegate cgroup.freeze outside of the trust boundary
> + of the cgroup itself.

For example, if you delegate a memory control file, whoever can write to it
can control memory distribution over everyone in the cgroup too regardless
of their UID. Here's an excerpt from "Model of Delegation" section:

Because the resource control interface files in a given directory
control the distribution of the parent's resources, the delegatee
shouldn't be allowed to write to them.

These threads basically amount to "if I give SUID to bash, I get a root
shell". Please stop.

Thanks.

--
tejun