Re: [PR] [cgroups2][ebpf] Configure device access permissions. [mesos]

Mon, 18 Mar 2024 15:54:08 -0700 


bmahler commented on code in PR #519:
URL: https://github.com/apache/mesos/pull/519#discussion_r1529414026


##########
src/linux/cgroups2.cpp:
##########
@@ -295,4 +296,152 @@ Try<set<string>> enabled(const string& cgroup)
 
 } // namespace controllers {
 
+namespace devices {
+
+const int ALLOW_ACCESS = 1;
+
+const int DENY_ACCESS = 0;
+
+// Utility class to construct an eBPF program to whitelist or blacklist
+// select device accesses.
+class DeviceProgram
+{
+public:
+  DeviceProgram() : program{ebpf::Program(BPF_PROG_TYPE_CGROUP_DEVICE)}
+  {
+    program.append({
+        // r2: Type ('c', 'b', '?')
+        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
+        BPF_ALU32_IMM(BPF_AND, BPF_REG_2, 0xFFFF),
+        // r3: Access ('r', 'w', 'm')
+        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
+        BPF_ALU32_IMM(BPF_RSH, BPF_REG_3, 16),
+        // r4: Major Version
+        BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 4),
+        // r5: Minor Version
+        BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1, 8)});
+  }
+
+  Try<Nothing> allow(const Entry entry) { return addDevice(entry, true); }
+
+  Try<Nothing> deny(const Entry entry) { return addDevice(entry, false); }
+
+  Try<Nothing> addDevice(const Entry entry, bool allow)
+  {
+    // We create a block of bytecode with the format:
+    // 1. [ Type Check          ] ⤵
+    // 2. [ Access Check        ] ⤵

Review Comment:
   I understand that regardless of ordering, these all need to be checked and 
we jump out if any don't match, but it seems more natural to reason about 
checking in the same order that we'd be writing the logic if we were to code 
the logic if we weren't generating assembly, in which case I would imagine that 
the code would be written to first examine if this is the right device, then 
check access. It also seems a bit easier to reason about the access part if it 
resides closer to the final access code?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to