Re: [RFC] [PATCH -mm] cgroup: uid-based rules to add processesefficiently in the right cgroup
From: David Collier-Brown
Date: Tue Aug 26 2008 - 12:31:15 EST
Vivek Goyal wrote:
Who executes default rules? IOW, how do you make sure tasks of user.davecb
end up in project 101 only and not outside?
A classifier at login/connect starts each new process off in the correct group.
New processes inherit their parent's group unless you use newtask or su.
So by default all the tasks of user.davecb will run into project 101 until
user davecb decides to launch some background jobs in project 100 using
newtask?
That's right, the and cgexec-like "newtask" is what I use
to script things: for example, my background script says
case "$1" in
[0-9]*) # It's a pid
newtask -p bg -c $1
;;
*) # It's a command-line
newtask -p bg "$@" &
;;
esac
There's also an -F option to put a process into a cgroup
and never let it newtask itself or it's children to another one,
so that software from Dr Evil, Inc. can't do privilege
escalation (;-))
--dave
--
David Collier-Brown | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb@xxxxxxx | -- Mark Twain
cell: (647) 833-9377, bridge: (877) 385-4099 code: 506 9191#
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/