[Devel] Re: ns_can_attach (nsproxy cgroup)
Grzegorz Nosek
root at localdomain.pl
Fri Dec 12 06:23:09 PST 2008
On Fri, Dec 12, 2008 at 08:09:08AM -0600, Serge E. Hallyn wrote:
> Quoting Grzegorz Nosek (root at localdomain.pl):
> > Hi all,
> >
> > Is there a good reason for ns_can_attach to restrict moving tasks only
> > to direct descentants of the current cgroup? I.e. could the code:
> >
> > orig = task_cgroup(task, ns_subsys_id);
> > if (orig && orig != new_cgroup->parent)
> > return -EPERM;
> >
> > be replaced with:
> >
> > orig = task_cgroup(task, ns_subsys_id);
> > if (orig && !cgroup_is_descendant_of(new_cgroup, orig))
> > return -EPERM;
> >
> > (for a suitable definition of cgroup_is_descendant_of). It would allow
> > moving tasks down the cgroup hierarchy more than one level at a time and
> > as far as I can see, would pose no additional problems.
> >
> > Please keep CC'd, I'm not subscribed.
>
> Well you can always move it down one level at a time, right? :)
Yeah, but I found a patch by Andrea Righi which fits my use case almost
100% [1]. The tasks are moved between cgroups by the kernel, so it's
kernel hacking for me either way and I guess modifying ns_can_attach
will be cleaner.
> But I can't think of any reason why it would be a problem. So
> pls feel free to send a patch.
Will do.
Best regards,
Grzegorz Nosek
[1] http://lwn.net/Articles/294364/
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list