From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 8 Jan 2025 20:36:16 +0000 (+0100)
Subject: pid1: allow removal of foreign-owned subcgroups of cgroups owned by some user (#35922)
X-Git-Tag: v258-rc1~1665
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a241b796faeb499822e9c1789c1940bedf96e8a0;p=thirdparty%2Fsystemd.git

pid1: allow removal of foreign-owned subcgroups of cgroups owned by some user (#35922)

This improves operation in unprivileged userns environments, where
unpriv user code might invoke a container with a delegated userns UID
range, and thus ends up with a subcgroup owned by another UID. With this
patch any user is always allowed to remove their own cgroups even if it
has subcgroups owned by other users.

This removes a DoS of sorts, and enforces the rule that users strictly
own everything below cgroups they own.
---

a241b796faeb499822e9c1789c1940bedf96e8a0