Re: [RFC PATCH] cpuset: Allow setscheduler regardless of manipulated task

From: Waiman Long
Date: Thu Jun 23 2022 - 15:26:56 EST

Next message: David Hildenbrand: "Re: [PATCH v10 15/69] damon: convert __damon_va_three_regions to use the VMA iterator"
Previous message: Fabio Estevam: "Re: [PATCH] arm64: dts: imx8mp: drop dmas property for uart console"
In reply to: Michal Koutný: "[RFC PATCH] cpuset: Allow setscheduler regardless of manipulated task"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/23/22 08:49, Michal Koutný wrote:

When we migrate a task between two cgroups, one of the checks is a
verification that we can modify task's scheduler settings
(cap_task_setscheduler()).

An implicit migration occurs also when enabling a controller on the
unified hierarchy (think of parent to child migration). The
aforementioned check may be problematic if the caller of the migration
(enabling a controller) has no permissions over migrated tasks.
For instance, user's cgroup that ends up running a process of a
different user. Although cgroup permissions are configured favorably,
the enablement fails due to the foreign process [1].

Change the behavior by relaxing the permissions check on the unified
hierarchy (or in v2 mode). This is in accordance with unified hierarchy
attachment behavior when permissions of the source to target cgroups are
decisive whereas the migrated task is opaque (for contrast, see more
restrictive check in __cgroup1_procs_write()).

[1] https://github.com/systemd/systemd/issues/18293#issuecomment-831205649

Reasons for RFC:

1) The unified hierarchy attachment behavior -- is that the
right/consented model that migrated objects don't matter?

2) If 1) is true, have I missed any danger in allowing cpuset'ing a
possibly privileged processes?

That could be an issue.

2.2) cpuset may be in v2 mode even on v1 hierarchy with different
migration control rules (but checking migratee's creds in v1
eliminates effect of this patch).

3) Alternative approach would be to allow cpuset migrations only when
nothing effectively changes (which is the case for parent->child
migration upon controller enablement).

What do you mean by nothing effectively changes?

4) This is just idea draft, not tested in the real case.

Since the check is done on a taskset level, if only one of the tasks in the taskset fails, the whole taskset fails. Maybe we should consider an option for task based migration. So all the tasks that can be migrated will be migrated and the rests will be left behind in the original cpuset. Just a thought.

Cheers,
Longman

Next message: David Hildenbrand: "Re: [PATCH v10 15/69] damon: convert __damon_va_three_regions to use the VMA iterator"
Previous message: Fabio Estevam: "Re: [PATCH] arm64: dts: imx8mp: drop dmas property for uart console"
In reply to: Michal Koutný: "[RFC PATCH] cpuset: Allow setscheduler regardless of manipulated task"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]