From: "Serge E. Hallyn" <serge@hallyn.com>
To: aris@redhat.com
Cc: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
Tejun Heo <tj@kernel.org>,
Serge Hallyn <serge.hallyn@canonical.com>
Subject: Re: [PATCH v4 9/9] devcg: propagate local changes down the hierarchy
Date: Thu, 31 Jan 2013 04:19:32 +0000 [thread overview]
Message-ID: <20130131041932.GB14576@mail.hallyn.com> (raw)
In-Reply-To: <20130130171102.390708521@napanee.usersys.redhat.com>
Quoting aris@redhat.com (aris@redhat.com):
> +/**
> + * propagate_behavior - propagates a change in the behavior down in hierarchy
> + * @devcg_root: device cgroup that changed behavior
> + *
> + * returns: 0 in case of success, != 0 in case of error
> + *
> + * This is one of the two key functions for hierarchy implementation.
> + * All cgroup's children recursively will have the behavior changed and
> + * exceptions copied from the parent then its local behavior and exceptions
> + * re-evaluated and applied if they're still allowed. Refer to
> + * Documentation/cgroups/devices.txt for more details.
> + */
> +static int propagate_behavior(struct dev_cgroup *devcg_root)
> +{
> + struct cgroup *root = devcg_root->css.cgroup;
> + struct dev_cgroup *parent, *devcg, *tmp;
> + int rc = 0;
> + LIST_HEAD(pending);
> +
> + get_online_devcg(root, &pending);
> +
> + list_for_each_entry_safe(devcg, tmp, &pending, propagate_pending) {
> + parent = cgroup_to_devcgroup(devcg->css.cgroup->parent);
> +
> + /* first copy parent's state */
> + devcg->behavior = parent->behavior;
> + dev_exception_clean(&devcg->exceptions);
> + rc = dev_exceptions_copy(&devcg->exceptions, &parent->exceptions);
> + if (rc) {
> + devcg->behavior = DEVCG_DEFAULT_DENY;
> + break;
> + }
> +
> + if (devcg->local.behavior == DEVCG_DEFAULT_DENY &&
> + devcg->behavior == DEVCG_DEFAULT_ALLOW) {
> + devcg->behavior = DEVCG_DEFAULT_DENY;
> + }
I think you might need another special case here. If A and it's
child B are both ALLOW, and A switches to DENY, then if I read this
right B will be switched to DENY, but its local->exceptions will
not be cleared. They won't be immediately applied, so at first it's
ok. But if B then adds an exception, what happens? It'll call
revalidate_exceptions on the full old list plus new exception. If
any exceptions aren't allowed by the parent then it won't be applied,
but it's possible that it is allowed in the parent but (its sense
now being inverted from blacklist to whitelist) not intended to be
allowed in the child. But there will be nothing to stop it.
So do you need
if (devcg->local.behavior == DEVCG_DEFAULT_ALLOW &&
devcg->behavior == DEVCG_DEFAULT_DENY) {
dev_exception_clean(&devcg->local.exceptions);
}
here?
> + if (devcg->local.behavior == devcg->behavior)
> + rc = revalidate_exceptions(devcg);
> + if (rc)
> + break;
> + list_del_init(&devcg->propagate_pending);
> + }
> +
> + return rc;
> +}
next prev parent reply other threads:[~2013-01-31 4:19 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-30 17:11 [PATCH v4 0/9] devcg: introduce proper hierarchy support aris
2013-01-30 17:11 ` [PATCH v4 1/9] device_cgroup: prepare exception list handling functions for two lists aris
2013-01-30 19:34 ` Serge E. Hallyn
2013-01-30 17:11 ` [PATCH v4 2/9] devcg: reorder device exception functions aris
2013-01-30 19:44 ` Serge E. Hallyn
2013-01-30 17:11 ` [PATCH v4 3/9] device_cgroup: keep track of local group settings aris
2013-01-30 20:01 ` Serge E. Hallyn
2013-01-30 17:11 ` [PATCH v4 4/9] devcg: expand may_access() logic aris
2013-01-30 20:09 ` Serge E. Hallyn
2013-01-30 17:11 ` [PATCH v4 5/9] devcg: prepare may_access() for hierarchy support aris
2013-01-30 20:30 ` Serge E. Hallyn
2013-01-30 17:11 ` [PATCH v4 6/9] devcg: use css_online and css_offline aris
2013-01-30 20:40 ` Serge E. Hallyn
2013-01-30 17:11 ` [PATCH v4 7/9] devcg: split single exception copy from dev_exceptions_copy() aris
2013-01-30 20:42 ` Serge E. Hallyn
2013-01-30 17:11 ` [PATCH v4 8/9] devcg: refactor dev_exception_clean() aris
2013-01-30 20:47 ` Serge E. Hallyn
2013-01-30 20:49 ` Aristeu Rozanski
2013-01-30 20:50 ` Tejun Heo
2013-01-31 2:15 ` Li Zefan
2013-01-31 15:13 ` Aristeu Rozanski
2013-01-30 17:11 ` [PATCH v4 9/9] devcg: propagate local changes down the hierarchy aris
2013-01-30 21:35 ` Serge E. Hallyn
2013-01-31 4:19 ` Serge E. Hallyn [this message]
2013-01-31 22:00 ` Aristeu Rozanski
2013-01-31 4:38 ` Serge E. Hallyn
2013-01-31 22:03 ` Aristeu Rozanski
2013-02-01 19:09 ` [PATCH v5 " Aristeu Rozanski
2013-02-02 16:13 ` Serge E. Hallyn
2013-02-04 15:03 ` Aristeu Rozanski
2013-02-04 15:17 ` Serge Hallyn
2013-02-02 16:20 ` Serge E. Hallyn
2013-02-04 15:09 ` Aristeu Rozanski
2013-02-05 18:36 ` [PATCH v6 " Aristeu Rozanski
2013-02-09 3:53 ` Serge E. Hallyn
2013-02-11 14:30 ` Aristeu Rozanski
2013-02-09 4:04 ` Serge E. Hallyn
2013-02-11 14:32 ` Aristeu Rozanski
2013-02-11 17:42 ` Serge E. Hallyn
2013-02-11 18:38 ` Aristeu Rozanski
2013-02-11 18:52 ` Serge E. Hallyn
2013-02-11 19:02 ` Aristeu Rozanski
2013-02-11 20:47 ` Serge Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130131041932.GB14576@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=aris@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serge.hallyn@canonical.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).