On Fri, Feb 3, 2017 at 3:21 PM, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > On Fri, Feb 03, 2017 at 01:07:39PM -0800, Andy Lutomirski wrote: >> >> Is there any plan to address this? If not, I'll try to write that >> patch this weekend. > > yes. I'm working on 'disallow program override' flag. > It got stalled, because netns discussion got stalled. > Later today will send a patch for dev_id+inode and > will continue on the flag patch. > Would it make sense to try to document what your proposal does before writing the code? I don't yet see how to get semantics that are both simple and sensible with a "disallow override" flag. I *do* see how to get simple, sensible semantics with an approach where all the programs in scope for the cgroup in question get called. If needed, I can imagine a special "overridable" program that would not be run if the socket in question is bound to a descendent cgroup that also has an "overridable" program but would still let all the normal hierarchical programs in scope get called. -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html