This is an automated email from the ASF dual-hosted git repository. bmahler pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
commit e9bab29626da4de1293eaa1c916b9b15a89c94ff Author: Jason Zhou <[email protected]> AuthorDate: Fri Jul 26 17:24:17 2024 -0400 [cgroups2] Enforce normalization in configure. We currently do not enforce normalized allow and deny in configure. However, to ensure that we can generate an ebpf program that behaves correctly, we have to ensure that allow and deny are normalized. This patch adds a validation check to ensure that the allow and deny are normalized before attempting to generate the ebpf program. Review: https://reviews.apache.org/r/75114/ --- src/linux/cgroups2.cpp | 5 ++++ src/tests/containerizer/cgroups2_tests.cpp | 44 ++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/src/linux/cgroups2.cpp b/src/linux/cgroups2.cpp index 5b027c5fb..9dd100aa6 100644 --- a/src/linux/cgroups2.cpp +++ b/src/linux/cgroups2.cpp @@ -1466,6 +1466,11 @@ Try<Nothing> configure( const vector<Entry>& allow, const vector<Entry>& deny) { + if (!normalized(allow) || !normalized(deny)) { + return Error( + "Failed to validate arguments: allow or deny lists are not normalized"); + } + Try<ebpf::Program> program = DeviceProgram::build(allow, deny); if (program.isError()) { diff --git a/src/tests/containerizer/cgroups2_tests.cpp b/src/tests/containerizer/cgroups2_tests.cpp index de31a330a..fc3899526 100644 --- a/src/tests/containerizer/cgroups2_tests.cpp +++ b/src/tests/containerizer/cgroups2_tests.cpp @@ -972,6 +972,50 @@ TEST(Cgroups2DevicesTest, NormalizeTest) cgroups2::devices::normalize(already_normalized)); } + +TEST_F(Cgroups2Test, CGROUPS2_ConfigureValidation) +{ + const string& cgroup = TEST_CGROUP; + + // Error if there is empty accesses in any entry. + devices::Entry empty_entry = CHECK_NOTERROR(devices::Entry::parse("c 1:3 w")); + empty_entry.access.read = false; + empty_entry.access.write = false; + empty_entry.access.mknod = false; + vector<devices::Entry> allow = {empty_entry}; + vector<devices::Entry> deny = { + CHECK_NOTERROR(devices::Entry::parse("c 1:3 w")) + }; + Try<Nothing> configure_status = devices::configure(cgroup, allow, deny); + EXPECT_ERROR(configure_status); + EXPECT_EQ("Failed to validate arguments: allow or deny lists are not" + " normalized", + configure_status.error()); + + // Error if there is any entry that shares the same type, major, and minor + // numbers with another entry in the same list. + allow = { + CHECK_NOTERROR(devices::Entry::parse("b 3:1 rw")), + CHECK_NOTERROR(devices::Entry::parse("b 3:1 m"))}; + deny = {CHECK_NOTERROR(devices::Entry::parse("c 1:3 w"))}; + configure_status = devices::configure(cgroup, allow, deny); + EXPECT_ERROR(configure_status); + EXPECT_EQ("Failed to validate arguments: allow or deny lists are not" + " normalized", + configure_status.error()); + + // Error if there are entries which are encompassed by another on the same + // list. + allow = { + CHECK_NOTERROR(devices::Entry::parse("c *:* rw")), + CHECK_NOTERROR(devices::Entry::parse("c 3:1 w"))}; + deny = {CHECK_NOTERROR(devices::Entry::parse("c 1:3 w"))}; + configure_status = devices::configure(cgroup, allow, deny); + EXPECT_ERROR(configure_status); + EXPECT_EQ("Failed to validate arguments: allow or deny lists are not" + " normalized", + configure_status.error()); +} } // namespace tests { } // namespace internal {
