From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michal Hocko Subject: Re: Potential issues (security and otherwise) with the current cgroup-bpf API Date: Thu, 19 Jan 2017 10:00:08 +0100 Message-ID: <20170119090006.GI30786@dhcp22.suse.cz> References: <2dbec775-6304-e44c-19c5-fbf07877e7b1@gmail.com> <20161220091150.GJ3124@twins.programming.kicks-ass.net> <20170103102559.GA30129@dhcp22.suse.cz> <20170116011901.GH14446@mtj.duckdns.org> <20170117130303.GL19699@dhcp22.suse.cz> <20170117133204.GA6515@twins.programming.kicks-ass.net> <20170117135830.GO19699@dhcp22.suse.cz> <20170118221850.GF9171@mtj.duckdns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <20170118221850.GF9171@mtj.duckdns.org> Sender: netdev-owner@vger.kernel.org To: Tejun Heo Cc: Peter Zijlstra , Andy Lutomirski , David Ahern , Alexei Starovoitov , Andy Lutomirski , Daniel Mack , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , Kees Cook , Jann Horn , "David S. Miller" , Thomas Graf , Michael Kerrisk , Linux API , "linux-kernel@vger.kernel.org" , Network Development List-Id: linux-api@vger.kernel.org On Wed 18-01-17 14:18:50, Tejun Heo wrote: > Hello, Michal. > > On Tue, Jan 17, 2017 at 02:58:30PM +0100, Michal Hocko wrote: > > This would require using hierarchical cgroup iterators to iterate over > > It does behave hierarchically. > > > tasks. As per Andy's testing this doesn't seem to be the case. I haven't > > That's not what Andy's testing showed. What that showed was that > program in a child can override the one from its ancestor. My fault, I've misread Andy's test case. I thought that the child group simply disabled the bpf program and the one from the parent hasn't executed. -- Michal Hocko SUSE Labs