Re: [PATCH] capabilities: add capability cgroup controller

From: Tejun Heo
Date: Fri Jun 24 2016 - 13:24:56 EST

Next message: Steven Rostedt: "Re: [RFC/PATCH] ftrace: Reduce size of function graph entries"
Previous message: Linus Torvalds: "Re: [PATCH v3 00/13] Virtually mapped stacks with guard pages (x86, core)"
In reply to: Serge E. Hallyn: "Re: [PATCH] capabilities: add capability cgroup controller"
Next in thread: Topi Miettinen: "Re: [PATCH] capabilities: add capability cgroup controller"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, Serge.

On Fri, Jun 24, 2016 at 11:59:10AM -0500, Serge E. Hallyn wrote:
> > Just monitoring is less jarring than implementing security enforcement
> > via cgroup, but it is still jarring. What's wrong with recursive
> > process hierarchy monitoring which is in line with the whole facility
> > is implemented anyway?
>
> As I think Topi pointed out, one shortcoming is that if there is a short-lived
> child task, using its /proc/self/status is racy. You might just miss that it
> ever even existed, let alone that the "application" needed it.

But the parent can collect whatever its children used. We already do
that with other stats.

Thanks.

--
tejun

Next message: Steven Rostedt: "Re: [RFC/PATCH] ftrace: Reduce size of function graph entries"
Previous message: Linus Torvalds: "Re: [PATCH v3 00/13] Virtually mapped stacks with guard pages (x86, core)"
In reply to: Serge E. Hallyn: "Re: [PATCH] capabilities: add capability cgroup controller"
Next in thread: Topi Miettinen: "Re: [PATCH] capabilities: add capability cgroup controller"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]