diff options
| author | Serge E. Hallyn <serge@hallyn.com> | 2016-04-29 09:49:23 +0200 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2016-05-09 23:08:54 +0200 |
| commit | 99ef85aba8354ddfff162012b3f1c771a891b27d (patch) | |
| tree | 20e063b8021f967d2ec22838c4051ba61ba0291a /man7/namespaces.7 | |
| parent | 2c4fbe35193b16620924fca3565d732df5f4eeee (diff) | |
| download | man-pages-99ef85aba8354ddfff162012b3f1c771a891b27d.tar.gz | |
namespaces.7: Explain the more important benefit for cgroup namespaces
mtk: edited text supplied by Serge.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7/namespaces.7')
| -rw-r--r-- | man7/namespaces.7 | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/man7/namespaces.7 b/man7/namespaces.7 index 196972e9ca..bb37fedb6f 100644 --- a/man7/namespaces.7 +++ b/man7/namespaces.7 @@ -267,9 +267,22 @@ $ \fBcat /proc/20124/cgroup | grep freezer\fP .in .fi -The virtualization provided by cgroup namespaces can be used to prevent +The virtualization provided by cgroup namespaces serves at least two purposes. +First, it can be used to prevent information leaks whereby cgroup directory paths outside of a container would otherwise be visible to processes in the container. +More importantly, this allows easier and more flexible +confinement of container root tasks, because they can mount +their own cgroup filesystems without needing to gain access to ancestor +cgroup directories. +So, for example, even if +.I /cg/1 +is owned by uid 100000, a task namespaced under +.I /cg/1/2 +owned by UID 100000 can mount that cgroup but not change settings in +.IR /cg/1 . +Combined with correct enforcement of hierarchical limits, +this prevents that task from escaping its limits. Use of cgroup namespaces requires a kernel that is configured with the .B CONFIG_CGROUPS |