Hello, Nikolay. On Mon, Dec 19, 2022 at 01:40:50PM +0200, Nikolay Borisov wrote: > The situation I described is how systemd functions, in particular when setting up > a devcg for a service it would first disable all devices, then add a bunch of > well-known characters devices and finally evaluate the respective cgroup-related > directives in the service file, in particular that's how systemd is being run. I agree that this would have been the right thing to do in the first place. That said, the behavior has been like this since the beginning and it's difficult to rule out there may be users that depend on the current behavior of a child config being rejected if it contains anything beyond the parent's. > Without this series systemd-udevd service ends up in a cgroup whose devices.list > contains: > ... > > But its .service file also instructs it to add 'b *:* rwm' and 'c *:* rwm'. The > parent cg in turn contains: > ... > > In this case we'd want wildcard exceptions in the child to match any of the > exceptions in the parent. and as your example illustrates users already implemented the needed semantics on top of the existing interface or moved to cgroup2. I'm not sure about introducing a behavior change this drastic now when users would expect stability than anything else. Thanks. -- tejun
