Re: [PATCH 2/4] cgroup: add bpf hook for attach

Next message: Andrew Lunn: "Re: [RFC PATCH 6/8] dt-bindings: net: Add PTP interrupt support"
Previous message: Rio: "[PATCH] kernel/panic: increase buffer size for verbose taint logging"
In reply to: Christian Brauner: "[PATCH 2/4] cgroup: add bpf hook for attach"
Next in thread: Christian Brauner: "Re: [PATCH 2/4] cgroup: add bpf hook for attach"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tejun Heo

Date: Fri Feb 20 2026 - 10:16:37 EST

Hello,

On Fri, Feb 20, 2026 at 01:38:30AM +0100, Christian Brauner wrote:
> Add a hook to manage attaching tasks to cgroup. I'm in the process of
> adding various "universal truth" bpf programs to systemd that will make
> use of this.
>
> This has been a long-standing request (cf. [1] and [2]). It will allow us to
> enforce cgroup migrations and ensure that services can never escape their
> cgroups. This is just one of many use-cases.

>From cgroup POV, this looks fine to me but I'm curious whether something
dumber would also work. With CLONE_INTO_CGROUP, cgroup migration isn't
necessary at all. Would something dumber like a mount option disabling
cgroup migrations completely work too or would that be too restrictive?

Thanks.

--
tejun