From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F25D2C7EE32 for ; Thu, 2 Mar 2023 15:31:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230044AbjCBPao (ORCPT ); Thu, 2 Mar 2023 10:30:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59936 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229861AbjCBPaV (ORCPT ); Thu, 2 Mar 2023 10:30:21 -0500 Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com [IPv6:2607:f8b0:4864:20::f2f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DAF5126D2 for ; Thu, 2 Mar 2023 07:30:19 -0800 (PST) Received: by mail-qv1-xf2f.google.com with SMTP id jo29so11931143qvb.0 for ; Thu, 02 Mar 2023 07:30:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmpxchg-org.20210112.gappssmtp.com; s=20210112; t=1677771018; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=MLSfo+hz5vTJ5ohI3IndEOkVuqNdnrD+B9QuUnbZ7t0=; b=Yuc3GjL5Ae3STASZNhGMCqtIxArcAh5Wnnbvn4E9b8+BMSkHR1RoivucbdqQ/fcWMb pUqUgMFarQvdmGoZEOycuK8epRhiUmc3k8itieZ6PwaIla/rlWd8hVJjACl/b3oqemuw 7JN1JLE/p0Jd9o/WpjBcsFZ9qAJ2kAZ0XvvIW28lUpEwsJgluteqYbfF0IDigG6MlJfI KbHP+F86TOuVcoSsouz+IUw9UwdSOg5N3LugwO1HlldQl2spyTX/dh5e5grSMQOhdIrq XnvvCM7U4ynFjeQLWUvR3t0P/dTBiWq7LQN6dRssMQtt5fGIJ5psvko5kv1o0ITqDoGt slJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677771018; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=MLSfo+hz5vTJ5ohI3IndEOkVuqNdnrD+B9QuUnbZ7t0=; b=q4ZGjCatGK2I3eFp9+J1dWED8hcpnPTI2FiIl78hxxYFwg8fKiUr6jxz9xgHykOvo2 oB4Y8CVAm9JmuNfKjnbiIGbYpCDMzpPSOuPvNBd+bZqty5IXgd+PNInCsESLk4C7Jk8O t/Tax3ARAXcEUiw2ERd5xotyGnLPf7d4hTwmnCdkKnxmjLKlECkmdlpRs8itNZv52xzi fSMJdS1QiY6rlOIBsK1XABmcII55Lw8Xe2tIkOFz/JuNvijiMHTdRgOG+eI4r98dBe6J liewesDe8PIKfZcqWQ5C6vI5P4fsa4mj0+M+PPZqltLAI3yZNQCsjW74CxRjK3EF3qmQ gh4w== X-Gm-Message-State: AO0yUKXXtfgT93Xif1BstLgJv6/7sU5i0kOcTji0d+cNr8p1HcWKqEyx 9V4o3f2v037IghUPGgpynJALpg== X-Google-Smtp-Source: AK7set8Zi94EO/G0MiD2tk0zJB/YMF0sCaWg4Nr73waCi4EUvedOqA7UJ9O/l9aYTW8lBwtkvGMozw== X-Received: by 2002:a05:6214:e8f:b0:537:7061:89d7 with SMTP id hf15-20020a0562140e8f00b00537706189d7mr19950984qvb.40.1677771018035; Thu, 02 Mar 2023 07:30:18 -0800 (PST) Received: from localhost ([2620:10d:c091:480::1:19d]) by smtp.gmail.com with ESMTPSA id t3-20020a05620a034300b006fa16fe93bbsm11111379qkm.15.2023.03.02.07.30.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Mar 2023 07:30:17 -0800 (PST) Date: Thu, 2 Mar 2023 10:30:16 -0500 From: Johannes Weiner To: Suren Baghdasaryan Cc: tj@kernel.org, lizefan.x@bytedance.com, peterz@infradead.org, johunt@akamai.com, mhocko@suse.com, keescook@chromium.org, quic_sudaraja@quicinc.com, cgroups@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/1] psi: remove 500ms min window size limitation for triggers Message-ID: References: <20230301193403.1507484-1-surenb@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 01, 2023 at 12:48:38PM -0800, Suren Baghdasaryan wrote: > On Wed, Mar 1, 2023 at 12:07 PM Johannes Weiner wrote: > > > > On Wed, Mar 01, 2023 at 11:34:03AM -0800, Suren Baghdasaryan wrote: > > > Current 500ms min window size for psi triggers limits polling interval > > > to 50ms to prevent polling threads from using too much cpu bandwidth by > > > polling too frequently. However the number of cgroups with triggers is > > > unlimited, so this protection can be defeated by creating multiple > > > cgroups with psi triggers (triggers in each cgroup are served by a single > > > "psimon" kernel thread). > > > Instead of limiting min polling period, which also limits the latency of > > > psi events, it's better to limit psi trigger creation to authorized users > > > only, like we do for system-wide psi triggers (/proc/pressure/* files can > > > be written only by processes with CAP_SYS_RESOURCE capability). This also > > > makes access rules for cgroup psi files consistent with system-wide ones. > > > Add a CAP_SYS_RESOURCE capability check for cgroup psi file writers and > > > remove the psi window min size limitation. > > > > > > Suggested-by: Sudarshan Rajagopalan > > > Link: https://lore.kernel.org/all/cover.1676067791.git.quic_sudaraja@quicinc.com/ > > > Signed-off-by: Suren Baghdasaryan > > > --- > > > kernel/cgroup/cgroup.c | 10 ++++++++++ > > > kernel/sched/psi.c | 4 +--- > > > 2 files changed, 11 insertions(+), 3 deletions(-) > > > > > > diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c > > > index 935e8121b21e..b600a6baaeca 100644 > > > --- a/kernel/cgroup/cgroup.c > > > +++ b/kernel/cgroup/cgroup.c > > > @@ -3867,6 +3867,12 @@ static __poll_t cgroup_pressure_poll(struct kernfs_open_file *of, > > > return psi_trigger_poll(&ctx->psi.trigger, of->file, pt); > > > } > > > > > > +static int cgroup_pressure_open(struct kernfs_open_file *of) > > > +{ > > > + return (of->file->f_mode & FMODE_WRITE && !capable(CAP_SYS_RESOURCE)) ? > > > + -EPERM : 0; > > > +} > > > > I agree with the change, but it's a bit unfortunate that this check is > > duplicated between system and cgroup. > > > > What do you think about psi_trigger_create() taking the file and > > checking FMODE_WRITE and CAP_SYS_RESOURCE against file->f_cred? > > That's definitely doable and we don't even need to pass file to > psi_trigger_create() since it's called only when we write to the file. > However by moving the capability check into psi_trigger_create() we > also postpone the check until write() instead of failing early in > open(). I always assumed failing early is preferable but if > consolidating the code here makes more sense then I can make the > switch. Please let me know if you still prefer to move the check. Just for context, a person on our team is working on allowing unprivileged polls with windows that are multiples of 2s, which can be triggered from the regular aggregator threads. This should be useful for container delegation, and also for the desktop monitor app usecase that Chris Down brought up some time ago. At that point, everybody can open the file for write, and permissions are checked against the trigger parameters. So I don't think it's a big deal to check this particular permission at write time. But if you prefer we can also merge your patch as-is and do the refactor as part of the other series. Your call. In either case, please feel free to add Acked-by: Johannes Weiner From mboxrd@z Thu Jan 1 00:00:00 1970 From: Johannes Weiner Subject: Re: [PATCH 1/1] psi: remove 500ms min window size limitation for triggers Date: Thu, 2 Mar 2023 10:30:16 -0500 Message-ID: References: <20230301193403.1507484-1-surenb@google.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmpxchg-org.20210112.gappssmtp.com; s=20210112; t=1677771018; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=MLSfo+hz5vTJ5ohI3IndEOkVuqNdnrD+B9QuUnbZ7t0=; b=Yuc3GjL5Ae3STASZNhGMCqtIxArcAh5Wnnbvn4E9b8+BMSkHR1RoivucbdqQ/fcWMb pUqUgMFarQvdmGoZEOycuK8epRhiUmc3k8itieZ6PwaIla/rlWd8hVJjACl/b3oqemuw 7JN1JLE/p0Jd9o/WpjBcsFZ9qAJ2kAZ0XvvIW28lUpEwsJgluteqYbfF0IDigG6MlJfI KbHP+F86TOuVcoSsouz+IUw9UwdSOg5N3LugwO1HlldQl2spyTX/dh5e5grSMQOhdIrq XnvvCM7U4ynFjeQLWUvR3t0P/dTBiWq7LQN6dRssMQtt5fGIJ5psvko5kv1o0ITqDoGt slJQ== Content-Disposition: inline In-Reply-To: List-ID: Content-Type: text/plain; charset="windows-1252" To: Suren Baghdasaryan Cc: tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org, lizefan.x-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org, peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org, johunt-JqFfY2XvxFXQT0dZR+AlfA@public.gmane.org, mhocko-IBi9RG/b67k@public.gmane.org, keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org, quic_sudaraja-jfJNa2p1gH1BDgjK7y7TUQ@public.gmane.org, cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org On Wed, Mar 01, 2023 at 12:48:38PM -0800, Suren Baghdasaryan wrote: > On Wed, Mar 1, 2023 at 12:07=E2=80=AFPM Johannes Weiner wrote: > > > > On Wed, Mar 01, 2023 at 11:34:03AM -0800, Suren Baghdasaryan wrote: > > > Current 500ms min window size for psi triggers limits polling interval > > > to 50ms to prevent polling threads from using too much cpu bandwidth = by > > > polling too frequently. However the number of cgroups with triggers is > > > unlimited, so this protection can be defeated by creating multiple > > > cgroups with psi triggers (triggers in each cgroup are served by a si= ngle > > > "psimon" kernel thread). > > > Instead of limiting min polling period, which also limits the latency= of > > > psi events, it's better to limit psi trigger creation to authorized u= sers > > > only, like we do for system-wide psi triggers (/proc/pressure/* files= can > > > be written only by processes with CAP_SYS_RESOURCE capability). This = also > > > makes access rules for cgroup psi files consistent with system-wide o= nes. > > > Add a CAP_SYS_RESOURCE capability check for cgroup psi file writers a= nd > > > remove the psi window min size limitation. > > > > > > Suggested-by: Sudarshan Rajagopalan > > > Link: https://lore.kernel.org/all/cover.1676067791.git.quic_sudaraja-= jfJNa2p1gH1BDgjK7y7TUQ@public.gmane.org/ > > > Signed-off-by: Suren Baghdasaryan > > > --- > > > kernel/cgroup/cgroup.c | 10 ++++++++++ > > > kernel/sched/psi.c | 4 +--- > > > 2 files changed, 11 insertions(+), 3 deletions(-) > > > > > > diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c > > > index 935e8121b21e..b600a6baaeca 100644 > > > --- a/kernel/cgroup/cgroup.c > > > +++ b/kernel/cgroup/cgroup.c > > > @@ -3867,6 +3867,12 @@ static __poll_t cgroup_pressure_poll(struct ke= rnfs_open_file *of, > > > return psi_trigger_poll(&ctx->psi.trigger, of->file, pt); > > > } > > > > > > +static int cgroup_pressure_open(struct kernfs_open_file *of) > > > +{ > > > + return (of->file->f_mode & FMODE_WRITE && !capable(CAP_SYS_RESO= URCE)) ? > > > + -EPERM : 0; > > > +} > > > > I agree with the change, but it's a bit unfortunate that this check is > > duplicated between system and cgroup. > > > > What do you think about psi_trigger_create() taking the file and > > checking FMODE_WRITE and CAP_SYS_RESOURCE against file->f_cred? >=20 > That's definitely doable and we don't even need to pass file to > psi_trigger_create() since it's called only when we write to the file. > However by moving the capability check into psi_trigger_create() we > also postpone the check until write() instead of failing early in > open(). I always assumed failing early is preferable but if > consolidating the code here makes more sense then I can make the > switch. Please let me know if you still prefer to move the check. Just for context, a person on our team is working on allowing unprivileged polls with windows that are multiples of 2s, which can be triggered from the regular aggregator threads. This should be useful for container delegation, and also for the desktop monitor app usecase that Chris Down brought up some time ago. At that point, everybody can open the file for write, and permissions are checked against the trigger parameters. So I don't think it's a big deal to check this particular permission at write time. But if you prefer we can also merge your patch as-is and do the refactor as part of the other series. Your call. In either case, please feel free to add Acked-by: Johannes Weiner