[CRIU] [PATCH] cgroups: Rework "devices" controller properties restoration
Cyrill Gorcunov
gorcunov at virtuozzo.com
Thu Sep 1 07:01:33 PDT 2016
On Thu, Sep 01, 2016 at 04:41:26PM +0300, Cyrill Gorcunov wrote:
> Currently if there are several subcgroups in devices container
> we're trying to deny any device by default first before we're
> setting up allowed device from the image. That's is prohibited
> by kernel because if the cgroup has an active parent noone can
> add a rule to deny devices. The logic in kernel is simple: once
> devices are denied from top level, all descendant cgroups are
> automatically propagated with such limitation.
>
> Thus what we need is to setup "deny" rule on toplevel cgroup.
> Thus here is a proposal
>
> - in restore_special_props pass a level number so we won't try
> to deny devices on children which already have this rule
> - write global deny rule _iif_ it's a fresh cgroup created,
> if cgroup is already existing we assume the user already
> configured it
>
> Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
> ---
>
> Guys, take a look please, this is on top of our vz7 CRIU but
> I'll portforward it upon review.
Sidenote: of course the routine of parsing device.list and
restore props should be merged into separate helper to not
duplicate the code.
More information about the CRIU
mailing list