Hi Roman, To be more specific, I have been looking at the bpf-cgroup implementation of device cgroup and I cannot wrap my head around how the bpf-cgroup implementation would be able to enforce "[a] child cgroup can never receive a device access which is denied by its parent." I am either missing some understanding around device cgroup or bpf cgroup or both. Any pointer you can give me would be much appreciated. Regards, Kenny On Fri, Apr 24, 2020 at 1:28 PM Kenny Ho <y2kenny@xxxxxxxxx> wrote: > > Hi Roman, > > Um... I am not sure yet because I don't think I understand how > bpf-cgroup actually works. May be you can help? For example, how > does delegation work with bpf-cgroup? What is the relationship > between program(s) attachted to the parent cgroup and the children > cgroups? From what I understand, the attached eBPF prog will simply > replace what was attached by the parent (so there is no relationship?) > Sequentially running attached program either from leaf to root or > root to leaf is not a thing right? > > Regards, > Kenny > > On Fri, Apr 24, 2020 at 1:08 PM Roman Gushchin <guro@xxxxxx> wrote: > > > > On Fri, Apr 24, 2020 at 12:43:38PM -0400, Kenny Ho wrote: > > > Hi Roman, > > > > > > I am thinking of using the cgroup local storage as a way to implement > > > per cgroup configurations that other kernel subsystem (gpu driver, for > > > example) can have access to. Is that ok or is that crazy? > > > > If BPF is not involved at all, I'd say don't use it. Because beside providing > > a generic BPF map interface (accessible from userspace and BPF), it's > > just a page of memory "connected" to a cgroup. > > > > If BPF is involved, let's discuss it in more details. > > > > Thanks! > > > > > > > > Regards, > > > Kenny > > > > > > On Fri, Apr 24, 2020 at 12:26 PM Roman Gushchin <guro@xxxxxx> wrote: > > > > > > > > On Fri, Apr 24, 2020 at 12:17:55PM -0400, Kenny Ho wrote: > > > > > Hi, > > > > > > > > > > From the documentation, eBPF maps allow sharing of data between eBPF > > > > > kernel programs, kernel and user space applications. Does that > > > > > applies to BPF_MAP_TYPE_CGROUP_STORAGE? If so, what is the correct > > > > > way to access the cgroup storage from the linux kernel? I have been > > > > > reading the __cgroup_bpf_attach function and how the storage are > > > > > allocated and linked but I am not sure if I am on the right path. > > > > > > > > Hello, Kenny! > > > > > > > > Can you, please, elaborate a bit more on the problem, you're trying to solve? > > > > What's the goal of accessing the cgroup storage from the kernel? > > > > > > > > Certainly you can get a pointer to an attached buffer if you have > > > > a cgroup pointer. But what's next? > > > > > > > > Thanks!
