[CRIU] [PATCH v2] cgroups: Rework "devices" controller properties restoration
Cyrill Gorcunov
gorcunov at gmail.com
Mon Sep 12 03:00:33 PDT 2016
On Thu, Sep 1, 2016 at 6:52 PM, Cyrill Gorcunov <gorcunov at gmail.com> wrote:
> Currently if there are several subcgroups in devices container
> we're trying to deny any device by default first before we're
> setting up allowed device from the image. That's is prohibited
> by kernel because if the cgroup has an active parent noone can
> add a rule to deny devices. The logic in kernel is simple: once
> devices are denied from top level, all descendant cgroups are
> automatically propagated with such limitation.
>
> Thus what we need is to setup "deny" rule on toplevel cgroup.
> Thus here is a proposal
>
> - in restore_special_props pass a level number so we won't try
> to deny devices on children which already have this rule
> - write global deny rule _iif_ it's a fresh cgroup created,
> if cgroup is already existing we assume the user already
> configured it
>
> Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
Ping?
More information about the CRIU
mailing list