Hi, Cgroups primary function seems to be to divide limited resources and make sure that they are allocated "fairly" (where the sysadmin decides what is fair, and how much of each resource should be made available to groups of processes). Intel has a h/w feature in the DSA (Data Streaming Accelerator) device that will allow a process to offer access to bounded virtual windows into its address space to other processes. The case where one process wants to make this offer to just one other process seems simple. But the h/w allows, and a process might want, to offer a virtual window to several other processes. As soon as anyone says the words "several processes" the immediate thought is "can cgroups help with this?" I'm thinking along these lines: 1) Sysadmin creates a cgroup for a "job". Initializes the limits on how many of these virtual windows can be used (h/w has a fixed number). Assigns tasks in the job to this cgroup. 2) Tasks in the job that want to offer virtual windows call into the driver to allocate and partially set up windows tagged with "available to any other process in my cgroup". 3) Other tasks in the group ask the driver to complete the h/w initialization by adding them (their PASID) to the access list for each window. My questions: 1) Is this horrible - have I misunderstood cgroups? 1a) If this is horrible, can it be rescued? 2) Will it work - is "membership in a cgroup" a valid security mechanism? 3) Has someone done something similar before (so I can learn from their code)? 4) Is there an existing exported API to help. I see task_cgroup_path() which looks generally helpful (though I'd prefer a task_cgroup() that just takes a task and gives me the cgroup to which it belongs.) Thanks -Tony
