From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5335CC64ED6 for ; Wed, 1 Mar 2023 09:47:40 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DD41A6B0072; Wed, 1 Mar 2023 04:47:39 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D5B556B0073; Wed, 1 Mar 2023 04:47:39 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BFE0D6B0074; Wed, 1 Mar 2023 04:47:39 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id AD3546B0072 for ; Wed, 1 Mar 2023 04:47:39 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 8BD7DABEC7 for ; Wed, 1 Mar 2023 09:47:39 +0000 (UTC) X-FDA: 80519852238.16.2B5E49E Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by imf27.hostedemail.com (Postfix) with ESMTP id B49384000D for ; Wed, 1 Mar 2023 09:47:36 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=suse.com header.s=susede1 header.b="FWR/kfwD"; spf=pass (imf27.hostedemail.com: domain of mhocko@suse.com designates 195.135.220.29 as permitted sender) smtp.mailfrom=mhocko@suse.com; dmarc=pass (policy=quarantine) header.from=suse.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1677664057; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=FEKtKRNyGCTC82UqNy25qgA9yJtw4/FHNoYTpB8MPsE=; b=lbxS9d4nn8VKIsh8zGUpa1ZLPQaFvyE0VYsBeWtv9hSHvMYNInOhrUhqJiAJITcfqc2C39 vxTFE2pHzSmAIJL+gRhLu2BlxhSwBB2UFL0kZwmZ8TKu1lwwxqOVl/l0P+OlChMM88O5iw t/LujNos7GpkyOawOAej/pWCQWxqA2w= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=suse.com header.s=susede1 header.b="FWR/kfwD"; spf=pass (imf27.hostedemail.com: domain of mhocko@suse.com designates 195.135.220.29 as permitted sender) smtp.mailfrom=mhocko@suse.com; dmarc=pass (policy=quarantine) header.from=suse.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1677664057; a=rsa-sha256; cv=none; b=54YCi3NYmVXzz6njZvbge4xue9oID46KAi+VFZZsJ1vqLWq6nLQyJC7eHBC8eFmJ+eN11s x4LkRAiCxuj7+Nfiqv90ttrENfRLc5NsHI/cprb+yHXMaMBFrACGDRJE1hIVes+7/x1x21 B7KeCTEEDUOsoYH8AYleSBuX5U3+7jo= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 161071FE12; Wed, 1 Mar 2023 09:47:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1677664055; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=FEKtKRNyGCTC82UqNy25qgA9yJtw4/FHNoYTpB8MPsE=; b=FWR/kfwDEEyMKMXV8Gye36g2Sj6laW5ZfRc975dH6P4XVUiDv/Fp0FHeRZPoXF9hWKGd9v pJWJL3iNNvoRbcGInAFRztMuJVhweZ3mJaMZsXvZaJyvx9SBSBuiqzT7toNdLlZxODUvGB ZymHyxMMA3fQPYQmsUavp4kNAYHw4u8= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 0748F13A63; Wed, 1 Mar 2023 09:47:35 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 8wL4ADcf/2PhEwAAMHmgww (envelope-from ); Wed, 01 Mar 2023 09:47:35 +0000 Date: Wed, 1 Mar 2023 10:47:34 +0100 From: Michal Hocko To: Suren Baghdasaryan Cc: tj@kernel.org, hannes@cmpxchg.org, lizefan.x@bytedance.com, peterz@infradead.org, johunt@akamai.com, quic_sudaraja@quicinc.com, cgroups@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/1] cgroup: limit cgroup psi file writes to processes with CAP_SYS_RESOURCE Message-ID: References: <20230301014651.1370939-1-surenb@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230301014651.1370939-1-surenb@google.com> X-Rspamd-Queue-Id: B49384000D X-Stat-Signature: ycs4dzdrixbnqkja3aks6898c3j48c1x X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1677664056-178703 X-HE-Meta: U2FsdGVkX1/+6TBYIyWjWV9KQYLNTZT6qFY/SSIJhTxruyUkjZIKG9KEzJgpBAuzEnUr+6/emn8YV22ApEo+IK81nptUtPx1FkadtHrgu3/BqKfUcs5BxNSB+aWqNWzSUvBY3+MTqBlhEbPLQIt//f+thx2jtWCpaHuy241RGLKeLPQtLv4qHXqrf5AMahTJmlD4xFdwbqcBMD9wbpnx7VmVb6hIV/nxOrFoCSaTIxjSnhHxgiqBYMcvUMHM1YopBQ+I8k3bxpOGoU6hGwOH7XpFYYy8B0CAHSG+1L/yPrypJiVqGWVhJ5salbPEKRijEhlNi46gw9X5LTCjPE+tKRDiNbLiNQu8x4qv6LonKAXC427hOl62KDnLwOxzrlCCdFg/f7wNFc0ovj48bljCt+wQ6lcQkFSFDmcWBbnBstxEJeZzB01whWLYLhweW/pp98L4GFAKdCV+g8OACp9NR4HzASCXdxzholRLiET5ErQHpQ6PlWu8MYvyAe0SrTc7Q2Go5bbiGQKTA1aonMluDUgCDeYmal2ko9N7DHSXTXIqOnMCB5FAJuRsR1ca1sONKtr5SjIl35GxOIe/G4a2FVXcHqwusn+/I0rr9S8+W8y1OoJcWD3LPGTOemWWU+vOXwUOE7s5gmi9gGJEhMW3ekirSrVq0pFeBD+Xk9Uiy635xuyyAfd6ZoWLDjM7Z8t7adrR4+mAEzX1WMqfe+sXgNsB7+1kupJ8x3UsS/5Zeq0bc8a19GN4gVAGRNQLp25c7pxZElUTpnkYsUiY+W7MUwXGlSpUZuk+eKCE+oK9D09WHL1UbbSCgk5D7a4fA+d5lbqE/b34GIMjJiKpKyWC5gMHORjel9ZPcXf8g6TTFEO31xyPXtI2+IqMcnF0gxHafhWUQn/DvQJCib5dLXvnxWp7lQgg/hmtrbbuwUuM03amOMg3d2tf3P+TEVYqX6Wut8KbBI1XCitz1bFn9Ju XHiGFAs9 cE7B5rdUBd85YE5XQQzwqHonVXAtY8BdVIhCeRpXhLfq0JFVbru2adYifmziTLGmA1v0GTZb19+N+jjpU4lwW9e0E8A7wFpwCDQ6FA5TH7YEiZntPdKZ/0TOcCm3bYlp8G2/qu1EI+CgHE1lTcJlMosJPO4BihmHc1YbEOKmo2jMn7aRlWK5mLrpn7zpTf4VBwhiT5js2Cp3hUHbN6kzDqkxmgA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue 28-02-23 17:46:51, Suren Baghdasaryan wrote: > Currently /proc/pressure/* files can be written only by processes with > CAP_SYS_RESOURCE capability to prevent any unauthorized user from > creating psi triggers. However no such limitation is required for > per-cgroup pressure files. Fix this inconsistency by requiring the same > capability for writing per-cgroup psi files. > > Fixes: 6db12ee0456d ("psi: allow unprivileged users with CAP_SYS_RESOURCE to write psi files") Is this really a regression from this commit? 6db12ee0456d is changing permissions of those files to be world writeable with the CAP_SYS_RESOURCE requirement. Permissions of cgroup files is not changed and the default mode is 644 (with root as an owner) so only privileged processes are allowed without any delegation. I think you should instead construct this slightly differently. The ultimate goal is to allow a reasonable delegation after all, no? So keep your current patch and extend it by removing the min timeout constrain and justify the change by the necessity of the granularity tuning as reported by Sudarshan Rajagopala. If this causes any regression then a revert would also return the min timeout constrain back and we will have to think about a different approach. The consistency with the global case is a valid point only partially because different cgroups might have different owners which is not usually the case for the global psi interface, right? Makes sense? -- Michal Hocko SUSE Labs