On Wed, Jul 10, 2013 at 03:50:02PM -0400, Aristeu Rozanski wrote: > On Wed, Jul 10, 2013 at 11:46:55AM -0700, Tejun Heo wrote: > > Just wondering whether you're working on implementing new hierarchical > > behavior on devcg. If so, can you please share some details on how > > you're planning to do it? Please feel free to add the relevant > > mailing lists when replying. > > I did start, but still dealing with lots of company internal tasks so I > couldn't do much. > > One of the ideas is to start changing (again) how the rules are processed > internally, moving away from the default policy + exceptions model to > an ordered set of rules like iptables: > > default: allow/deny > allow block major 100-101, all minors > deny char major 200, all minors > ... > > That will solve most complex use cases the current model won't [1] but > the problem with this approach is that since it relies on order, merging > would be a problem, and it'd have test each parent all the way to / to > make sure the access is possible. > > [1] One example of usage the current model won't solve: > > - by default deny everything > - allow c,200,* > - but deny c,200,100 > > The second idea, which is simpler, will reuse the current internal model > of default policy + exceptions and the idea in the initial patches of having > two lists in each cgroup: active policy+exceptions and locally set > policy+exceptions. This way for every change that happens in a parent (or > even change of parents when moving the cgroup around), the active > policy+exceptions will be regenerated. > > In both cases, we do need a new userspace interface (although we can > still provide backwards compatibility with the old one). > > Comments? FWIW, libvirt's usage of devcg is to deny all by default, allow major 136 (for all /dev/pts/*), followed by allow (major,minor) pair for each specific whitelisted devices. As such we don't have anything that relies on ordering of rules in devcg. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
