Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Tue, Aug 30, 2016 at 6:36 PM, Alexei Starovoitov wrote: > On Tue, Aug 30, 2016 at 02:45:14PM -0700, Andy Lutomirski wrote: >> >> One might argue that landlock shouldn't be tied to seccomp (in theory, >> attached progs could be given access to syscall_get_xyz()),

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Tue, Aug 30, 2016 at 6:36 PM, Alexei Starovoitov wrote: > On Tue, Aug 30, 2016 at 02:45:14PM -0700, Andy Lutomirski wrote: >> >> One might argue that landlock shouldn't be tied to seccomp (in theory, >> attached progs could be given access to syscall_get_xyz()), but I > > proposed lsm is way

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Tue, Aug 30, 2016 at 02:45:14PM -0700, Andy Lutomirski wrote: > > One might argue that landlock shouldn't be tied to seccomp (in theory, > attached progs could be given access to syscall_get_xyz()), but I proposed lsm is way more powerful than syscall_get_xyz. no need to dumb it down. >

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Tue, Aug 30, 2016 at 02:45:14PM -0700, Andy Lutomirski wrote: > > One might argue that landlock shouldn't be tied to seccomp (in theory, > attached progs could be given access to syscall_get_xyz()), but I proposed lsm is way more powerful than syscall_get_xyz. no need to dumb it down. >

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Aug 30, 2016 1:56 PM, "Alexei Starovoitov" wrote: > > On Tue, Aug 30, 2016 at 10:33:31PM +0200, Mickaël Salaün wrote: > > > > > > On 30/08/2016 22:23, Andy Lutomirski wrote: > > > On Tue, Aug 30, 2016 at 1:20 PM, Mickaël Salaün wrote: > > >> > >

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Aug 30, 2016 1:56 PM, "Alexei Starovoitov" wrote: > > On Tue, Aug 30, 2016 at 10:33:31PM +0200, Mickaël Salaün wrote: > > > > > > On 30/08/2016 22:23, Andy Lutomirski wrote: > > > On Tue, Aug 30, 2016 at 1:20 PM, Mickaël Salaün wrote: > > >> > > >> On 30/08/2016 20:55, Andy Lutomirski wrote:

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Tue, Aug 30, 2016 at 10:33:31PM +0200, Mickaël Salaün wrote: > > > On 30/08/2016 22:23, Andy Lutomirski wrote: > > On Tue, Aug 30, 2016 at 1:20 PM, Mickaël Salaün wrote: > >> > >> On 30/08/2016 20:55, Andy Lutomirski wrote: > >>> On Sun, Aug 28, 2016 at 2:42 AM, Mickaël

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Tue, Aug 30, 2016 at 10:33:31PM +0200, Mickaël Salaün wrote: > > > On 30/08/2016 22:23, Andy Lutomirski wrote: > > On Tue, Aug 30, 2016 at 1:20 PM, Mickaël Salaün wrote: > >> > >> On 30/08/2016 20:55, Andy Lutomirski wrote: > >>> On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote: >

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 30/08/2016 22:23, Andy Lutomirski wrote: > On Tue, Aug 30, 2016 at 1:20 PM, Mickaël Salaün wrote: >> >> On 30/08/2016 20:55, Andy Lutomirski wrote: >>> On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote: On 28/08/2016 10:13, Andy

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 30/08/2016 22:23, Andy Lutomirski wrote: > On Tue, Aug 30, 2016 at 1:20 PM, Mickaël Salaün wrote: >> >> On 30/08/2016 20:55, Andy Lutomirski wrote: >>> On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote: On 28/08/2016 10:13, Andy Lutomirski wrote: > On Aug 27, 2016

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Tue, Aug 30, 2016 at 1:20 PM, Mickaël Salaün wrote: > > On 30/08/2016 20:55, Andy Lutomirski wrote: >> On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote: >>> >>> >>> On 28/08/2016 10:13, Andy Lutomirski wrote: On Aug 27, 2016 11:14 PM, "Mickaël

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Tue, Aug 30, 2016 at 1:20 PM, Mickaël Salaün wrote: > > On 30/08/2016 20:55, Andy Lutomirski wrote: >> On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote: >>> >>> >>> On 28/08/2016 10:13, Andy Lutomirski wrote: On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote: > > > On

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 30/08/2016 20:55, Andy Lutomirski wrote: > On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote: >> >> >> On 28/08/2016 10:13, Andy Lutomirski wrote: >>> On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote: On 27/08/2016 22:43, Alexei

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 30/08/2016 20:55, Andy Lutomirski wrote: > On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote: >> >> >> On 28/08/2016 10:13, Andy Lutomirski wrote: >>> On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote: On 27/08/2016 22:43, Alexei Starovoitov wrote: > On Sat, Aug 27,

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote: > > > On 28/08/2016 10:13, Andy Lutomirski wrote: >> On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote: >>> >>> >>> On 27/08/2016 22:43, Alexei Starovoitov wrote: On Sat, Aug 27, 2016 at 09:35:14PM

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote: > > > On 28/08/2016 10:13, Andy Lutomirski wrote: >> On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote: >>> >>> >>> On 27/08/2016 22:43, Alexei Starovoitov wrote: On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote: > On

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 28/08/2016 10:13, Andy Lutomirski wrote: > On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote: >> >> >> On 27/08/2016 22:43, Alexei Starovoitov wrote: >>> On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote: On 27/08/2016 20:06, Alexei Starovoitov wrote: >

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 28/08/2016 10:13, Andy Lutomirski wrote: > On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote: >> >> >> On 27/08/2016 22:43, Alexei Starovoitov wrote: >>> On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote: On 27/08/2016 20:06, Alexei Starovoitov wrote: > On Sat, Aug 27,

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote: > > > On 27/08/2016 22:43, Alexei Starovoitov wrote: > > On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote: > >> On 27/08/2016 20:06, Alexei Starovoitov wrote: > >>> On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote: > > > On 27/08/2016 22:43, Alexei Starovoitov wrote: > > On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote: > >> On 27/08/2016 20:06, Alexei Starovoitov wrote: > >>> On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote: >

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 27/08/2016 22:43, Alexei Starovoitov wrote: > On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote: >> On 27/08/2016 20:06, Alexei Starovoitov wrote: >>> On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote: As said above, Landlock will not run an eBPF programs when

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 27/08/2016 22:43, Alexei Starovoitov wrote: > On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote: >> On 27/08/2016 20:06, Alexei Starovoitov wrote: >>> On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote: As said above, Landlock will not run an eBPF programs when

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote: > > On 27/08/2016 20:06, Alexei Starovoitov wrote: > > On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote: > >> > >> On 27/08/2016 01:05, Alexei Starovoitov wrote: > >>> On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote: > > On 27/08/2016 20:06, Alexei Starovoitov wrote: > > On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote: > >> > >> On 27/08/2016 01:05, Alexei Starovoitov wrote: > >>> On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 27/08/2016 20:06, Alexei Starovoitov wrote: > On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote: >> >> On 27/08/2016 01:05, Alexei Starovoitov wrote: >>> On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote: > > - I don't think such 'for' loop can scale. The

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 27/08/2016 20:06, Alexei Starovoitov wrote: > On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote: >> >> On 27/08/2016 01:05, Alexei Starovoitov wrote: >>> On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote: > > - I don't think such 'for' loop can scale. The

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote: > > On 27/08/2016 01:05, Alexei Starovoitov wrote: > > On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote: > >> > >>> > >>> - I don't think such 'for' loop can scale. The solution needs to work > >>> with thousands of

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote: > > On 27/08/2016 01:05, Alexei Starovoitov wrote: > > On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote: > >> > >>> > >>> - I don't think such 'for' loop can scale. The solution needs to work > >>> with thousands of

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 27/08/2016 01:05, Alexei Starovoitov wrote: > On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote: >> >>> >>> - I don't think such 'for' loop can scale. The solution needs to work >>> with thousands of containers and thousands of cgroups. >>> In the patch 06/10 the proposal is to

Re: [RFC v2 09/10] landlock: Handle cgroups (performance)

On 27/08/2016 01:05, Alexei Starovoitov wrote: > On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote: >> >>> >>> - I don't think such 'for' loop can scale. The solution needs to work >>> with thousands of containers and thousands of cgroups. >>> In the patch 06/10 the proposal is to