| ▲ | asveikau 3 hours ago | |
Maybe I'm misreading, but considering it OK to leak memory contents across a process boundary because it's within a cgroup sounds wild. | ||
| ▲ | adsharma 3 hours ago | parent [-] | |
It wasn't any cgroup. If you put two untrusting processes in a memory cgroup, there is a lot that can go wrong. If you don't like the idea of memory cgroups as a security domain, you could tighten it to be a process. But kernel developers have been opposed to tracking pages on a per address space basis for a long time. On the other hand memory cgroup tracking happens by construction. | ||