Commit 726a4994 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Tejun Heo

cgroupns: Only allow creation of hierarchies in the initial cgroup namespace

Unprivileged users can't use hierarchies if they create them as they do not
have privilieges to the root directory.

Which means the only thing a hiearchy created by an unprivileged user
is good for is expanding the number of cgroup links in every css_set,
which is a DOS attack.

We could allow hierarchies to be created in namespaces in the initial
user namespace.  Unfortunately there is only a single namespace for
the names of heirarchies, so that is likely to create more confusion
than not.

So do the simple thing and restrict hiearchy creation to the initial
cgroup namespace.

Fixes: a79a908f ("cgroup: introduce cgroup namespaces")
Signed-off-by: default avatar"Eric W. Biederman" <>
Signed-off-by: default avatarTejun Heo <>
parent eedd0f4c
......@@ -2215,12 +2215,8 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
goto out_unlock;
* We know this subsystem has not yet been bound. Users in a non-init
* user namespace may only mount hierarchies with no bound subsystems,
* i.e. 'none,name=user1'
if (!opts.none && !capable(CAP_SYS_ADMIN)) {
/* Hierarchies may only be created in the initial cgroup namespace. */
if (ns != &init_cgroup_ns) {
ret = -EPERM;
goto out_unlock;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment