ns_can_attach (nsproxy cgroup)

Grzegorz Nosek root at localdomain.pl
Fri Dec 12 13:30:42 PST 2008


On pią, gru 12, 2008 at 08:09:08 -0600, Serge E. Hallyn wrote:
> Quoting Grzegorz Nosek (root at localdomain.pl):
> > Hi all,
> > 
> > Is there a good reason for ns_can_attach to restrict moving tasks only
> > to direct descentants of the current cgroup? I.e. could the code:
> > 
> >         orig = task_cgroup(task, ns_subsys_id);
> >         if (orig && orig != new_cgroup->parent)
> >                 return -EPERM;
> > 
> > be replaced with:
> > 
> >         orig = task_cgroup(task, ns_subsys_id);
> >         if (orig && !cgroup_is_descendant_of(new_cgroup, orig))
> >                 return -EPERM;
> > 
> > (for a suitable definition of cgroup_is_descendant_of). It would allow
> > moving tasks down the cgroup hierarchy more than one level at a time and
> > as far as I can see, would pose no additional problems.
> > 
> > Please keep CC'd, I'm not subscribed.
> 
> Well you can always move it down one level at a time, right? :)
> 
> But I can't think of any reason why it would be a problem.  So
> pls feel free to send a patch.

OK, here's the patch. After some basic testing looks like it's working
as advertised. Please have a look at the patch, esp. the subsys_id part,
I'm not sure I got the code/comments all right.

Best regards,
 Grzegorz Nosek

--------------------------------------


More information about the Containers mailing list