Re: Potential issues (security and otherwise) with the current cgroup-bpf API
From: Andy Lutomirski
Date: Sat Feb 04 2017 - 12:11:34 EST
On Fri, Feb 3, 2017 at 3:21 PM, Alexei Starovoitov
<alexei.starovoitov@xxxxxxxxx> wrote:
> On Fri, Feb 03, 2017 at 01:07:39PM -0800, Andy Lutomirski wrote:
>>
>> Is there any plan to address this? If not, I'll try to write that
>> patch this weekend.
>
> yes. I'm working on 'disallow program override' flag.
> It got stalled, because netns discussion got stalled.
> Later today will send a patch for dev_id+inode and
> will continue on the flag patch.
>
Would it make sense to try to document what your proposal does before
writing the code? I don't yet see how to get semantics that are both
simple and sensible with a "disallow override" flag.
I *do* see how to get simple, sensible semantics with an approach
where all the programs in scope for the cgroup in question get called.
If needed, I can imagine a special "overridable" program that would
not be run if the socket in question is bound to a descendent cgroup
that also has an "overridable" program but would still let all the
normal hierarchical programs in scope get called.