From: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: Aristeu Rozanski <aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Kay Sievers <kay.sievers-tD+1rO4QERM@public.gmane.org>,
Lennart Poettering
<mzxreary-uLTowLwuiw4b1SvskN2V4Q@public.gmane.org>,
"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH 0/4] devcg: Store local settings for each device cgroup
Date: Mon, 19 Aug 2013 10:53:06 +0800 [thread overview]
Message-ID: <52118892.7050909@huawei.com> (raw)
In-Reply-To: <20130816160950.GH2505-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
Cc: Serge
On 2013/8/17 0:09, Tejun Heo wrote:
> Hello,
>
> On Fri, Aug 16, 2013 at 12:02:04PM -0400, Aristeu Rozanski wrote:
>>> Yeah, that's the correct behavior, if I'm not misunderstanding you,
>>> but to be consistent we also need to allow creating rules which allow
>>> devices which aren't allowed by ancestors. It won't be applicable at
>>> rule creation but may later become effective later on.
>>
>> Oh, I see, it's just matter of allowing to set the desired set or rules
>> locally even if they're not possible at the moment.
>
> Yeah, otherwise, we'd get into situation where setting rules in place
> isn't allowed but moving it out of hierarchy, setting it and then
> moving it back would work, which doesn't make much sense.
>
>> So, considering we drop in sane_behavior the allow + exceptions case,
>> the interface in sane_behavior mode would look like:
>> - policy: {allow_all,deny}
>> writing either will clear the active aw
>> - active_whitelist
>> list of in effect rules, read only
>> - whitelist
>> list of locally set rules, read only
>> - whitelist_add
>> write only, adds rule to the local list and active lists
>> - whitelist_remove
>> write only, removes rule from the local and active lists
>>
>> What you think?
>
> Yeah, I think that should work although you might also need
> active_policy and "effective" might be a better choice as prefix.
As I've started to work on cpuset side, I'm also thinking about
adding cpuset.effective_cpus and cpuset.effective_mems.
> Kay, Lennart, what do you guys think?
>
As Serge is the original author of devcg, let's also see how
Serge feel about the new interfaces?
next prev parent reply other threads:[~2013-08-19 2:53 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-15 15:34 [PATCH 0/4] devcg: Store local settings for each device cgroup aris-H+wXaHxf7aLQT0dZR+AlfA
[not found] ` <1376580854-30929-1-git-send-email-aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-15 15:34 ` [PATCH 1/4] devcg: move behavior and exceptions into its own structure aris-H+wXaHxf7aLQT0dZR+AlfA
2013-08-15 15:34 ` [PATCH 2/4] devcg: make dev_exception_ functions to use lists aris-H+wXaHxf7aLQT0dZR+AlfA
2013-08-15 15:34 ` [PATCH 3/4] devcg: save locally saved settings aris-H+wXaHxf7aLQT0dZR+AlfA
2013-08-15 15:34 ` [PATCH 4/4] devcg: try to reapply local settings aris-H+wXaHxf7aLQT0dZR+AlfA
2013-08-15 19:59 ` [PATCH 0/4] devcg: Store local settings for each device cgroup Tejun Heo
[not found] ` <20130815195941.GA10977-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2013-08-15 20:48 ` Aristeu Rozanski
[not found] ` <20130815204804.GO7878-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-15 21:09 ` Tejun Heo
[not found] ` <20130815210937.GB10977-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2013-08-16 15:20 ` Aristeu Rozanski
[not found] ` <20130816152025.GC7878-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-16 15:47 ` Tejun Heo
[not found] ` <20130816154757.GG2505-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2013-08-16 16:02 ` Aristeu Rozanski
[not found] ` <20130816160204.GE7878-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-16 16:09 ` Tejun Heo
[not found] ` <20130816160950.GH2505-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2013-08-19 2:53 ` Li Zefan [this message]
[not found] ` <52118892.7050909-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2013-08-19 13:38 ` Aristeu Rozanski
2013-08-19 17:12 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52118892.7050909@huawei.com \
--to=lizefan-hv44wf8li93qt0dzr+alfa@public.gmane.org \
--cc=aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=kay.sievers-tD+1rO4QERM@public.gmane.org \
--cc=mzxreary-uLTowLwuiw4b1SvskN2V4Q@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.