Hello, On Mon, Sep 21, 2020 at 04:28:34PM +0200, Michal Hocko wrote: > Fundamentaly CLONE_INTO_CGROUP is similar to regular fork + move to the > target cgroup after the child gets executed. So in principle there > shouldn't be any big difference. Except that the move has to be explicit > and the the child has to have enough privileges to move itself. I am not Yeap, they're supposed to be the same operations. We've never clearly defined how the accounting gets split across moves because 1. it's inherently blurry and difficult 2. doesn't make any practical difference for the recommended and vast majority usage pattern which uses migration to seed the new cgroup. CLONE_INTO_CGROUP doesn't change any of that. > completely sure about CLONE_INTO_CGROUP model though. According to man > clone(2) it seems that O_RDONLY for the target cgroup directory is > sufficient. That seems much more relaxed IIUC and it would allow to fork > into a different cgroup while keeping a lot of resources in the parent's > proper. If the man page is documenting that, it's wrong. cgroup_css_set_fork() has an explicit cgroup_may_write() test on the destination cgroup. CLONE_INTO_CGROUP should follow exactly the same rules as regular migrations. Thanks. -- tejun