cgroup: clarify cgroup_css_set_fork()

With recent fixes for the permission checking when moving a task into a cgroup
using a file descriptor to a cgroup's cgroup.procs file and calling write() it
seems a good idea to clarify CLONE_INTO_CGROUP permission checking with a
comment.

Cc: Tejun Heo <tj@kernel.org>
Cc: <cgroups@vger.kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Tejun Heo <tj@kernel.org>

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index b31e1465868ab542c91a692063eb845ed2de1e05..77702e089d6ae444d3ed4ee552cd67a6d035a1e8 100644 (file)
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6161,6 +6161,20 @@ static int cgroup_css_set_fork(struct kernel_clone_args *kargs)
        if (ret)
                goto err;
 
+       /*
+        * Spawning a task directly into a cgroup works by passing a file
+        * descriptor to the target cgroup directory. This can even be an O_PATH
+        * file descriptor. But it can never be a cgroup.procs file descriptor.
+        * This was done on purpose so spawning into a cgroup could be
+        * conceptualized as an atomic
+        *
+        *   fd = openat(dfd_cgroup, "cgroup.procs", ...);
+        *   write(fd, <child-pid>, ...);
+        *
+        * sequence, i.e. it's a shorthand for the caller opening and writing
+        * cgroup.procs of the cgroup indicated by @dfd_cgroup. This allows us
+        * to always use the caller's credentials.
+        */
        ret = cgroup_attach_permissions(cset->dfl_cgrp, dst_cgrp, sb,
                                        !(kargs->flags & CLONE_THREAD),
                                        current->nsproxy->cgroup_ns);