Ken'ichi Ohmichi wrote: > Hi Dhaval and KAMEZAWA-san, > > Dhaval Giani wrote: >>>>> I have no strong opinion but I feel only "comm" can be too short for >>>>> enterprise users. I saw 3 version of "java" runs under different >>>>> applications >>>>> in user's environment, all uid were "root". (oh, yes, seems crazy ;) >>>>> >>>> True, but I think we need to keep the configuration file as simple as >>>> possible for it to be useful. >>> I have a little headache, and I'd like to clarify some requests. >>> >>> 1) Handle a shell process by a rule based on shell name. (KAMEZAWA) >>> 2) Handle a process by a rule based on full path of command. (KAMEZAWA) >>> 3) Keep the configuration file as simple as possible. (Dhaval) >>> >> Actually, you can drop 3 as a requirement as long as you provide some >> tool as well which will allow these configuration files to be formed. > > How about the following rule ? > > NEW RULE (/etc/cgrules.conf): > ============================= > EXISTING) <user> <controllers> <destination> > NEW1) <user>:<process name> <controllers> <destination> > NEW2) <user>:<full path of command> <controllers> <destination> > > I add NEW2 rule and the example is : > root:/bin/cp cpuset group01 > > I feel we can get the full path of both a command and shell script name > by the following logic. > > 1) Get a process name from /proc/<pid>/status. > 2) Get the full path from the link destination of /proc/<pid>/exe. > 2.1) If the basename of the name 2) matches the name 1), the name 2) > is the full path of a process. > (We should take care of the length of the name 1).) > 2.2) If not (almost shell script), get the full path from both > /proc/<pid>/cmdline and the link destination of /proc/<pid>/cwd.
I think cwd can be changed, it may point to different directory than it was pointing at time of exec(). On the other hand, I don't have better solution... All this reading from /proc is IMHO very weak, too many things can happen between exec() and the time cgrulesengd processes the exec event. Dhaval, you are kernel guy, would it be possible to extend the netlink interface and add actual process name and cmdline to PROC_EVENT_EXEC? That's the best I can think of. Jan ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com _______________________________________________ Libcg-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libcg-devel
