On Mon, Dec 19, 2016 at 5:34 PM, David Miller <davem@xxxxxxxxxxxxx> wrote: > From: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> > Date: Mon, 19 Dec 2016 16:02:56 -0800 > >> huh? 'not right api' because it's using bpf syscall instead >> of cgroup control-file? I think the opposite is the truth. > > I completely agree with Alexei on this. So what happens when someone adds another type of filter? Let's say there's a simple, no-privilege-required list of allowed address families that can hook up to the socket creation hook for a cgroup. Does BPF_PROG_DETACH still detach it? Or would both the bpf *and* the list of allowed address families be in force? If the latter, why wouldn't two BPF programs on the same hook be allowed? Concretely: # mkdir /cgroup/a # set_up_bpf_socket_rule /cgroup/a # set_up_list_of_address_families /cgroup/a # cat /cgroup/a/some_new_file [what gets displayed?] # BPF_PROG_DETACH: what happens By the way, even if Alexei is right, the BPF_PROG_DETACH API doesn't even take a reference to a BPF program as an argument. What is it supposed to do if this mechanism ever gets extended? --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
