ns_can_attach (nsproxy cgroup)
Grzegorz Nosek
root at localdomain.pl
Fri Dec 12 13:30:42 PST 2008
On pią, gru 12, 2008 at 08:09:08 -0600, Serge E. Hallyn wrote:
> Quoting Grzegorz Nosek (root at localdomain.pl):
> > Hi all,
> >
> > Is there a good reason for ns_can_attach to restrict moving tasks only
> > to direct descentants of the current cgroup? I.e. could the code:
> >
> > orig = task_cgroup(task, ns_subsys_id);
> > if (orig && orig != new_cgroup->parent)
> > return -EPERM;
> >
> > be replaced with:
> >
> > orig = task_cgroup(task, ns_subsys_id);
> > if (orig && !cgroup_is_descendant_of(new_cgroup, orig))
> > return -EPERM;
> >
> > (for a suitable definition of cgroup_is_descendant_of). It would allow
> > moving tasks down the cgroup hierarchy more than one level at a time and
> > as far as I can see, would pose no additional problems.
> >
> > Please keep CC'd, I'm not subscribed.
>
> Well you can always move it down one level at a time, right? :)
>
> But I can't think of any reason why it would be a problem. So
> pls feel free to send a patch.
OK, here's the patch. After some basic testing looks like it's working
as advertised. Please have a look at the patch, esp. the subsys_id part,
I'm not sure I got the code/comments all right.
Best regards,
Grzegorz Nosek
--------------------------------------
More information about the Containers
mailing list