Hi Djalal.
On Mon, Aug 18, 2025 at 10:04:21AM +0100, Djalal Harouni tixxdz@gmail.com wrote:
This patch series add support to write cgroup interfaces from BPF.
It is useful to freeze a cgroup hierarchy on suspicious activity for a more thorough analysis before killing it. Planned users of this feature are: systemd and BPF tools where the cgroup hierarchy could be a system service, user session, k8s pod or a container.
Could you please give more specific example of the "suspicious activity"? The last time (v1) it was referring to LSM hooks where such asynchronous approach wasn't ideal. Also why couldn't all these tools execute the cgroup actions themselves through traditional userspace API?
One more point (for possible interference with lifecycles) -- what is the relation between cgroup in which the BPF code "runs" and cgroup that's target of the operation? (I hope this isn't supposed to run from BPF without process context.)
Todo:
- Limit size of data to be written.
- Further tests.
- Add cgroup kill support.
I'm missing the retrieval of freeze result in this plan :) cgroup kill would be simpler for PoC (and maybe even sufficient for your use case?).
Regards, Michal