> > + * they are created in. Specifcally, sockets, and their interactions with the > > + * net_cls and net_prio cgroup v1 controllers. This "moves" the file descriptor > > + * so that it takes on the cgroup controller's configuration in the process > > + * that the file descriptor is being added to. > > + */ > > +#define SECCOMP_ADDFD_FLAG_MOVE (1UL << 1) > > I'm not happy about the name because "moving" has much more to do with > transferring ownership than what we are doing here. After a "move" the > fd shouldn't be valid anymore. But that might just be my thinking. > > But why make this opt-in and not do it exactly like when you send around > fds and make this mandatory? Based upon Tycho's comments in an offline thread, I'm going to make this the default (setting the cgroup metadata) to mirror what SCM_RIGHTS does, and then if we come up with a good use case where we need to preserve *cgroup v1* metadata, then we can add an opt-out flag in the future. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
