This is an automated email from the ASF dual-hosted git repository.

bmahler pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git


The following commit(s) were added to refs/heads/master by this push:
     new 067e14e82 [device manager] Let non-wildcards entries check device 
access.
067e14e82 is described below

commit 067e14e8218acc1b95652b0452663e0c36c11043
Author: Jason Zhou <[email protected]>
AuthorDate: Thu Aug 1 14:11:45 2024 -0700

    [device manager] Let non-wildcards entries check device access.
    
    Currently, we only allow normal Entry instances for checking whether a
    device access would be allowed for a cgroup.
    
    We want to also allow NonWildcardEntry instances to do this as well.
    
    Review: https://reviews.apache.org/r/75135/
---
 .../device_manager/device_manager.cpp              | 47 ++++++++++++++--------
 .../device_manager/device_manager.hpp              |  1 +
 2 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/src/slave/containerizer/device_manager/device_manager.cpp 
b/src/slave/containerizer/device_manager/device_manager.cpp
index c255880aa..fbc532d6e 100644
--- a/src/slave/containerizer/device_manager/device_manager.cpp
+++ b/src/slave/containerizer/device_manager/device_manager.cpp
@@ -45,26 +45,33 @@ namespace internal {
 namespace slave {
 
 
+Entry convert_to_entry(
+    const DeviceManager::NonWildcardEntry& non_wildcard_entry)
+{
+  Entry entry;
+  entry.access = non_wildcard_entry.access;
+  entry.selector.type = [&]() {
+    switch (non_wildcard_entry.selector.type) {
+      case DeviceManager::NonWildcardEntry::Selector::Type::BLOCK:
+        return Entry::Selector::Type::BLOCK;
+      case DeviceManager::NonWildcardEntry::Selector::Type::CHARACTER:
+        return Entry::Selector::Type::CHARACTER;
+    }
+    UNREACHABLE();
+  }();
+  entry.selector.major = non_wildcard_entry.selector.major;
+  entry.selector.minor = non_wildcard_entry.selector.minor;
+  return entry;
+}
+
+
 vector<Entry> convert_to_entries(
-    const vector<DeviceManager::NonWildcardEntry>& non_wildcards_entries)
+    const vector<DeviceManager::NonWildcardEntry>& non_wildcard_entries)
 {
   vector<Entry> entries = {};
-  foreach (const DeviceManager::NonWildcardEntry& non_wildcards_entry,
-           non_wildcards_entries) {
-    Entry entry;
-    entry.access = non_wildcards_entry.access;
-    entry.selector.type = [&]() {
-      switch (non_wildcards_entry.selector.type) {
-        case DeviceManager::NonWildcardEntry::Selector::Type::BLOCK:
-          return Entry::Selector::Type::BLOCK;
-        case DeviceManager::NonWildcardEntry::Selector::Type::CHARACTER:
-          return Entry::Selector::Type::CHARACTER;
-      }
-      UNREACHABLE();
-    }();
-    entry.selector.major = non_wildcards_entry.selector.major;
-    entry.selector.minor = non_wildcards_entry.selector.minor;
-    entries.push_back(entry);
+  foreach (const DeviceManager::NonWildcardEntry& non_wildcard,
+           non_wildcard_entries) {
+    entries.push_back(convert_to_entry(non_wildcard));
   }
   return entries;
 }
@@ -390,6 +397,12 @@ bool DeviceManager::CgroupDeviceAccess::is_access_granted(
   return allowed() && !denied();
 }
 
+bool DeviceManager::CgroupDeviceAccess::is_access_granted(
+    const DeviceManager::NonWildcardEntry& query) const
+{
+  return is_access_granted(convert_to_entry(query));
+}
+
 
 DeviceManager::CgroupDeviceAccess::CgroupDeviceAccess(
   const std::vector<cgroups::devices::Entry>& _allow_list,
diff --git a/src/slave/containerizer/device_manager/device_manager.hpp 
b/src/slave/containerizer/device_manager/device_manager.hpp
index c1bf3c35d..a987895d5 100644
--- a/src/slave/containerizer/device_manager/device_manager.hpp
+++ b/src/slave/containerizer/device_manager/device_manager.hpp
@@ -72,6 +72,7 @@ public:
     // A device access is granted if it is encompassed by an allow entry
     // and does not have access overlaps with any deny entry.
     bool is_access_granted(const cgroups::devices::Entry& entry) const;
+    bool is_access_granted(const NonWildcardEntry& entry) const;
 
     // Returns an error if it the allow or deny lists are not normalized.
     static Try<CgroupDeviceAccess> create(

Reply via email to