On Mon, Mar 30, 2020 at 06:57:44PM -0600, David Ahern wrote: > On 3/30/20 6:32 PM, Alexei Starovoitov wrote: > >> > >> This is not a large feature, and there is no reason for CREATE/UPDATE - > >> a mere 4 patch set - to go in without something as essential as the > >> QUERY for observability. > > > > As I said 'bpftool cgroup' covers it. Observability is not reduced in any way. > > You want a feature where a process can prevent another from installing a > program on a cgroup. How do I learn which process is holding the > bpf_link reference and preventing me from installing a program? Unless I > have missed some recent change that is not currently covered by bpftool > cgroup, and there is no way reading kernel code will tell me. No. That's not the case at all. You misunderstood the concept. > That is my point. You are restricting what root can do and people will > not want to resort to killing random processes trying to find the one > holding a reference. Not true either. bpf_link = old attach with allow_multi (but with extra safety for owner) The only thing bpf_link protects is the owner of the link from other processes of nuking that link. It does _not_ prevent other processes attaching their own cgroup-bpf progs either via old interface or via bpf_link. It will be different for xdp where only one prog is allowed per xdp hook. There it will prevent other xdp progs. And there link_queury and "human override" will be necessary.
