Quoting Aristeu Rozanski (aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):

On Mon, Dec 03, 2012 at 06:01:25PM +0000, Serge E. Hallyn wrote:

quoted

First, generally, I don't think 'allows' added to parent should be 
automatically propagated to descendents.

that's what I think too and what I tried to do

quoted

In devcgroup_update_access: (around line 625)
	there is a period of time where cgroup members have
	default allow without the parent's exceptions.

true, will fix that one and look for more cases

quoted

propagate_behavior (line 505):
	1. doesn't follow the same ordering as devcgroup_update_access(), in
	particular cleaning exceptions before setting behavior.

I see, will update that

quoted

	2. When changing a parent from deny to allow, I don't think children
	should be updated.

I disagree on this one. since there'll be local preferences, it'll try
to revalidate them everytime there's a change. so, for example, an
exception that might not be possible now, will be possible when its
parent changes in a way that allows that.

My concern is just practical - if I've started a bunch of containers,
and another admin decides to make a change to the root devices cgroup,
I don't want the container's device accesses now changing.

Maybe that's better solved by having all of userspace sit in /system
while containers and vms sit under /lxc and /libvirt...

-serge