From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: Aristeu Rozanski <aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Serge Hallyn
<serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH 3/5] device_cgroup: keep track of local group settings
Date: Mon, 3 Dec 2012 18:01:25 +0000 [thread overview]
Message-ID: <20121203180125.GA30637@mail.hallyn.com> (raw)
In-Reply-To: <20121129223111.GZ32112-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Quoting Aristeu Rozanski (aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
> On Thu, Nov 29, 2012 at 08:26:08PM +0000, Serge E. Hallyn wrote:
> > Quoting Aristeu Rozanski (aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
> > > I see your point. it's indeed a problem. in dev_exception_add(), it
> > > needs to check for permissions before actually adding to
> > > devcgroup->exceptions.
>
> actually, checked again, it's done correctly. when adding an exception
> that will allow extra device access (DEVCG_ALLOW), it does check it
> before. It means that you can't add local exceptions unless at a certain
> point of the time it was allowed to do so.
Thanks.
...
> git://github.com/aristeu/linux-2.6.git
>
> please use branch devcg_hiearchy_review
Thanks!
I have a few remaining concerns.
First, generally, I don't think 'allows' added to parent should be
automatically propagated to descendents.
In devcgroup_update_access: (around line 625)
there is a period of time where cgroup members have
default allow without the parent's exceptions.
propagate_behavior (line 505):
1. doesn't follow the same ordering as devcgroup_update_access(), in
particular cleaning exceptions before setting behavior.
2. When changing a parent from deny to allow, I don't think children
should be updated.
propagate_exception:
1. the WARN_ONCE doesn't seem helpful.
2. Again, I don't think allows to a parent should be propagated, only
denies.
-serge
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Aristeu Rozanski <aris@redhat.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
linux-kernel@vger.kernel.org, Tejun Heo <tj@kernel.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
cgroups@vger.kernel.org
Subject: Re: [PATCH 3/5] device_cgroup: keep track of local group settings
Date: Mon, 3 Dec 2012 18:01:25 +0000 [thread overview]
Message-ID: <20121203180125.GA30637@mail.hallyn.com> (raw)
In-Reply-To: <20121129223111.GZ32112@redhat.com>
Quoting Aristeu Rozanski (aris@redhat.com):
> On Thu, Nov 29, 2012 at 08:26:08PM +0000, Serge E. Hallyn wrote:
> > Quoting Aristeu Rozanski (aris@redhat.com):
> > > I see your point. it's indeed a problem. in dev_exception_add(), it
> > > needs to check for permissions before actually adding to
> > > devcgroup->exceptions.
>
> actually, checked again, it's done correctly. when adding an exception
> that will allow extra device access (DEVCG_ALLOW), it does check it
> before. It means that you can't add local exceptions unless at a certain
> point of the time it was allowed to do so.
Thanks.
...
> git://github.com/aristeu/linux-2.6.git
>
> please use branch devcg_hiearchy_review
Thanks!
I have a few remaining concerns.
First, generally, I don't think 'allows' added to parent should be
automatically propagated to descendents.
In devcgroup_update_access: (around line 625)
there is a period of time where cgroup members have
default allow without the parent's exceptions.
propagate_behavior (line 505):
1. doesn't follow the same ordering as devcgroup_update_access(), in
particular cleaning exceptions before setting behavior.
2. When changing a parent from deny to allow, I don't think children
should be updated.
propagate_exception:
1. the WARN_ONCE doesn't seem helpful.
2. Again, I don't think allows to a parent should be propagated, only
denies.
-serge
next prev parent reply other threads:[~2012-12-03 18:01 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-27 19:35 [PATCH 0/5] devcg: introduce proper hierarchy support Aristeu Rozanski
2012-11-27 19:35 ` Aristeu Rozanski
2012-11-27 19:35 ` [PATCH 1/5] device_cgroup: fix locking in devcgroup_destroy() Aristeu Rozanski
2012-11-27 19:35 ` Aristeu Rozanski
[not found] ` <20121127193501.728193744-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-11-29 19:06 ` Serge E. Hallyn
2012-11-29 19:06 ` Serge E. Hallyn
2012-12-03 17:29 ` Tejun Heo
2012-11-27 19:35 ` [PATCH 2/5] device_cgroup: prepare exception list handling functions for two lists Aristeu Rozanski
2012-11-27 19:35 ` Aristeu Rozanski
[not found] ` <20121127193502.078661224-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-11-29 19:07 ` Serge E. Hallyn
2012-11-29 19:07 ` Serge E. Hallyn
2012-12-03 17:31 ` Tejun Heo
2012-12-03 17:31 ` Tejun Heo
2012-11-27 19:35 ` [PATCH 3/5] device_cgroup: keep track of local group settings Aristeu Rozanski
2012-11-29 19:29 ` Serge E. Hallyn
[not found] ` <20121129192945.GD26104-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-11-29 19:59 ` Aristeu Rozanski
2012-11-29 19:59 ` Aristeu Rozanski
[not found] ` <20121129195942.GW32112-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-11-29 20:26 ` Serge E. Hallyn
2012-11-29 20:26 ` Serge E. Hallyn
[not found] ` <20121129202608.GA26716-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-11-29 22:31 ` Aristeu Rozanski
2012-11-29 22:31 ` Aristeu Rozanski
[not found] ` <20121129223111.GZ32112-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-03 18:01 ` Serge E. Hallyn [this message]
2012-12-03 18:01 ` Serge E. Hallyn
[not found] ` <20121203180125.GA30637-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-12-03 19:06 ` Aristeu Rozanski
2012-12-03 19:06 ` Aristeu Rozanski
[not found] ` <20121203190657.GD32112-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-06 4:31 ` Serge E. Hallyn
2012-12-06 4:31 ` Serge E. Hallyn
2012-11-29 20:11 ` Aristeu Rozanski
2012-11-27 19:35 ` [PATCH 4/5] device_cgroup: make may_access() stronger Aristeu Rozanski
2012-11-27 19:35 ` Aristeu Rozanski
[not found] ` <20121127193502.817704289-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-12-03 17:44 ` Tejun Heo
2012-12-03 17:44 ` Tejun Heo
[not found] ` <20121203174414.GI19802-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2012-12-03 19:01 ` Aristeu Rozanski
2012-12-03 19:01 ` Aristeu Rozanski
2012-11-27 19:35 ` [PATCH 5/5] device_cgroup: propagate local changes down the hierarchy Aristeu Rozanski
[not found] ` <20121127193503.114004167-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-12-03 18:01 ` Tejun Heo
2012-12-03 18:01 ` Tejun Heo
[not found] ` <20121203180145.GJ19802-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2012-12-03 19:14 ` Aristeu Rozanski
2012-12-03 19:14 ` Aristeu Rozanski
[not found] ` <20121203191411.GE32112-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-03 21:36 ` Tejun Heo
2012-12-03 21:36 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121203180125.GA30637@mail.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.