lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Nov 2015 16:53:25 +0100 From: Daniel Wagner <daniel.wagner@...-carit.de> To: Tejun Heo <tj@...nel.org> CC: <davem@...emloft.net>, <pablo@...filter.org>, <kaber@...sh.net>, <kadlec@...ckhole.kfki.hu>, <daniel@...earbox.net>, <nhorman@...driver.com>, <lizefan@...wei.com>, <hannes@...xchg.org>, <netdev@...r.kernel.org>, <netfilter-devel@...r.kernel.org>, <coreteam@...filter.org>, <cgroups@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <kernel-team@...com>, <ninasc@...com> Subject: Re: [PATCH 7/9] sock, cgroup: add sock->sk_cgroup On 11/23/2015 04:48 PM, Tejun Heo wrote: > On Mon, Nov 23, 2015 at 02:02:03PM +0100, Daniel Wagner wrote: >> On 11/21/2015 05:13 PM, Tejun Heo wrote: >>> Signed-off-by: Tejun Heo <tj@...nel.org> >>> Cc: Daniel Borkmann <daniel@...earbox.net> >>> Cc: Daniel Wagner <daniel.wagner@...-carit.de> >> >> I did a quick test and for new connection the cgroup2 match worked as >> expected. For an existing connection I wasn't able to trigger the match. >> >> It is quite likely I do something wrong: >> >> ssh into the box >> # mkdir /sys/fs/cgroup/test >> # echo $$ > /sys/fs/cgroup/test/cgroup.procs >> # echo $PPID > /sys/fs/cgroup/test/cgroup.procs >> # iptables -A OUTPUT -m cgroup --path test >> >> Should I see matches with the existing ssh session? > > Socket is associated with the creating cgroup and stays associated > with that cgroup until it's released. Migrating the process doesn't > change the ownership of the sockets it has created. This is in line > with how other stateful resources such as memory are handled in > cgroup2 hierarchy. Thanks for the explanation. Looks good to me: Tested-by: Daniel Wagner <daniel.wagner@...-carit.de> Acked-by: Daniel Wagner <daniel.wagner@...-carit.de> Thanks, Daniel -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists