Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754445AbcJEDAW (ORCPT ); Tue, 4 Oct 2016 23:00:22 -0400 Received: from mail-oi0-f47.google.com ([209.85.218.47]:35293 "EHLO mail-oi0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753488AbcJEDAT (ORCPT ); Tue, 4 Oct 2016 23:00:19 -0400 MIME-Version: 1.0 In-Reply-To: <20161005003833.GA29239@mail.hallyn.com> References: <1475626874-22949-1-git-send-email-john.stultz@linaro.org> <20161005003833.GA29239@mail.hallyn.com> From: John Stultz Date: Tue, 4 Oct 2016 20:00:18 -0700 Message-ID: Subject: Re: [RFC][PATCH] cgroup: Add new capability to allow a process to migrate other tasks between cgroups To: "Serge E. Hallyn" Cc: lkml , Tejun Heo , Li Zefan , Jonathan Corbet , cgroups@vger.kernel.org, Android Kernel Team , Rom Lemarchand , Colin Cross , Dmitry Shmidt , Todd Kjos , Christian Poetzsch , Amit Pundir Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 963 Lines: 28 On Tue, Oct 4, 2016 at 5:38 PM, Serge E. Hallyn wrote: > Quoting John Stultz (john.stultz@linaro.org): >> So this patch, as suggested by Tejun, simply adds a new process >> capability flag (CAP_CGROUP_MIGRATE_TASK), and uses it when checking > > So realistically, what all can this mean? Freezing tasks, changing > cpu/memory limits, changing network and disk throughput, forbid forking, > and (most importantly) forbid access to certain devices. > > I think that's all ok. (And we still separately check for inode write > perms.) Sounds good. > If anything I'd say the GLOBAL_ROOT_UID check could be taken out since > otherwise a host-root task effectively cannot drop this capability. Is this ok to leave for a separate patch? > Acked-by: Serge Hallyn Thanks for the review! Unless there's other feedback, I'll sit on this until the merge window is over and then resubmit for consideration for 4.10. thanks -john