On Thu, Aug 25, 2022 at 10:58:26AM -0700, Hao Luo [off-list ref] wrote:

Permission is a valid point about FD. There was discussion in an
earlier version of this patch series [0].

(I'm sorry, I didn't follow all the version discussions closely.)

I think the permissions are a non-issue when unprivileged BPF is
disabled. If it's allowed, I think it'd be better solved generally
within the BPF iterator framework. (Maybe it's already present, I didn't
check.)

(OT:

The good thing about ID is that it can be passed across processes 

FDs can be passed too (parent-child trivially, others via SCM_RIGHTS
message).

and it's meaningful to appear in logs. It's more user-friendly.

I'd say cgroup path wins both in meaning and user friendliness.
(Or maybe you meant different class of users.)
)

So we decided to support both.

I accept cgroup ids are an establish{ing,ed} way to refer to cgroups
from userspace. Hence my fixups for the BPF cgroup iter (another thread)
for better namespacing consisntency.

Thanks,
Michal