[Devel] Re: [RFC][PATCH] IP address restricting cgroup subsystem

Grzegorz Nosek root at localdomain.pl
Wed Jan 7 01:37:01 PST 2009


On śro, sty 07, 2009 at 05:33:49 +0800, Li Zefan wrote:
> >> The root cgroup is read-only, so the tasks in it always bind to INADDR_ANY.
> >> For other cgroups, write is allowed only if it has no children and the
> >> parent is INADDR_ANY.
> > 
> > Yes, I like that. Will update the patch. I assume that I must check
> > list_empty(&cgroup->children)?
> 
> Yes.
> 
> > Should I use cgroup_lock()/cgroup_unlock()
> 
> Yes.
> 
> > or other locking? I think it will be safe to do without locks but would
> > rather get some expert advice.
> > 
> 
> No. Without locks, it races with mkdir.
> 
> =============
> 
> //cgroup_lock();
> 
> if (list_empty(&cgrp->children) &&
>     parent->ipv4_addr == INADDR_ANY)
> 					   <--- mkdir()
> 	ipcgroup->ipv4_addr = new_addr;
> 
> //cgroup_unlock();
> 
> ==============
> 
> In the above case, ipcgroup->ipv4_addr = new_addr,
> but child_cgroup->ipv4_addr == INADDR_ANY, which is not expected.

I see. Thanks a lot!

Best regards,
 Grzegorz Nosek
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list