[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJD7tkZySzWgJgp4xbkpSstc_RMN_tJqt83-FFrxv6jASeg8CA@mail.gmail.com>
Date: Mon, 29 Aug 2022 10:30:45 -0700
From: Yosry Ahmed <yosryahmed@...gle.com>
To: Michal Koutný <mkoutny@...e.com>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Cgroups <cgroups@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
Tejun Heo <tj@...nel.org>, Aditya Kali <adityakali@...gle.com>,
Serge Hallyn <serge.hallyn@...onical.com>,
Roman Gushchin <roman.gushchin@...ux.dev>,
Yonghong Song <yhs@...com>,
Muneendra Kumar <muneendra.kumar@...adcom.com>,
Hao Luo <haoluo@...gle.com>
Subject: Re: [PATCH 4/4] cgroup/bpf: Honor cgroup NS in cgroup_iter for ancestors
On Mon, Aug 29, 2022 at 6:00 AM Michal Koutný <mkoutny@...e.com> wrote:
>
> On Fri, Aug 26, 2022 at 10:41:37AM -0700, Yosry Ahmed <yosryahmed@...gle.com> wrote:
> > I understand that currently cgroup_iter is the only user of this, but
> > for future use cases, is it safe to assume that cgrp will always be
> > inside ns? Would it be safer to do something like:
>
> I preferred the simpler root_cgrp comparison to avoid pointer
> arithmetics in cgroup_is_descendant. But I also made the assumption of
> cgrp in ns.
>
> Thanks, I'll likely adjust cgroup_path_ns to make it more robust for
> an external cgrp.
>
Great, thanks!
>
> I'd like to clarify, if a process A in a broad cgroup ns sets up a BPF
> cgroup iterator, exposes it via bpffs and than a process B in a narrowed
> cgroup ns (which excludes the origin cgroup) wants to traverse the
> iterator, should it fail straight ahead (regardless of iter order)?
> The alternative would be to allow self-dereference but prohibit any
> iterator moves (regardless of order).
>
imo it should fail straight ahead, but maybe others (Tejun? Hao?) have
other opinions here.
>
> Thanks,
> Michal
Powered by blists - more mailing lists