Re: [RFC PATCH v2 bpf-next 0/3] bpf: cgroup: support writing and freezing cgroups from BPF

[Djalal Harouni <tixxdz@gmail.com>]

Hello,

On 8/25/25 19:48, Tejun Heo wrote:
> Hello,
> 
> On Fri, Aug 22, 2025 at 07:16:15PM +0100, Djalal Harouni wrote:
> ...
>> I do realize taking the same usual path with write is the obvious thing,
>> but we don't have the corresponding open context, and faking it seems
>> more trouble than calling directly cgroup backends...
>>
>> Allow me please to do it again directly on cgroup_base_file[] assuming
>> it was Alexei suggestion and see how it looks.
> 
> I'm probably missing something but what prevents you from getting a dentry
> from kernfs_node and then calling vfs_open() on it and then do vfs_write()
> on the returned file?

If we include the open path then don't have the right context, first
example in vfs_open() will use the wrong current cred context to perform
permission checks, current could have dropped privileges while the
cgroup hierarchy is still root owned...

The thing here is that the bpf program will be called from arbitrary
paths, not a single pre-defined path/function were we could control
the context...

> If there are some fundamental reasons that we can't do something like that,
> let's go back to the simple approach where we just have bpf helpers for
> freezing and unfreezing cgroups outside of fs interface.

Alright, seems Alexei also agree on this. Thanks will prepare another
version.

>> Also Tejun, could you please point me to extra cgroup or kernfs tests
>> you run? much appreciated!
> 
> I'm afraid there isn't much outside what's in the selftest directory.

Ok, thank you!


> Thanks.
>