Quoting Aristeu Rozanski (a...@redhat.com): > On Mon, Dec 03, 2012 at 06:01:25PM +0000, Serge E. Hallyn wrote: > > First, generally, I don't think 'allows' added to parent should be > > automatically propagated to descendents. > > that's what I think too and what I tried to do > > > In devcgroup_update_access: (around line 625) > > there is a period of time where cgroup members have > > default allow without the parent's exceptions. > > true, will fix that one and look for more cases > > > propagate_behavior (line 505): > > 1. doesn't follow the same ordering as devcgroup_update_access(), in > > particular cleaning exceptions before setting behavior. > > I see, will update that > > > 2. When changing a parent from deny to allow, I don't think children > > should be updated. > > I disagree on this one. since there'll be local preferences, it'll try > to revalidate them everytime there's a change. so, for example, an > exception that might not be possible now, will be possible when its > parent changes in a way that allows that.
My concern is just practical - if I've started a bunch of containers, and another admin decides to make a change to the root devices cgroup, I don't want the container's device accesses now changing. Maybe that's better solved by having all of userspace sit in /system while containers and vms sit under /lxc and /libvirt... -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
