Re: Review Request 75026: [cgroups2] update device configuration EBPF program generator

Tue, 02 Jul 2024 15:56:51 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75026/#review226626
-----------------------------------------------------------




src/tests/containerizer/cgroups2_tests.cpp
Lines 669-671 (patched)
<https://reviews.apache.org/r/75026/#comment314898>

    might want to test some more cases here:
    
    * allow all char devices but deny one?


- Benjamin Mahler


On June 3, 2024, 7:45 p.m., Jason Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/75026/
> -----------------------------------------------------------
> 
> (Updated June 3, 2024, 7:45 p.m.)
> 
> 
> Review request for mesos and Benjamin Mahler.
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> In cgroups2, we want our EBPF file to only grant access to a device if it is 
> in a cgroup's allow list and not in its deny list.
> This means that we need to change our previous logic that exits on the first 
> match to now check both the allow and deny list of a cgroup
> before determining whether access may be granted.
> 
> This patch implements the logic change, and removes functions that are no 
> longer necessary for the DeviceProgram class.
> We now pass the entire allow and deny list to a configure function inside the 
> DeviceProgram object, which will create a ebpf program
> with the updated logic and attempt to attach it to the cgroup.
> 
> 
> Diffs
> -----
> 
>   src/linux/cgroups2.hpp 64254d04f65128713cf3489b25bcba42590b6020 
>   src/linux/cgroups2.cpp 9e2ca2207a4e407fb6b07b6fbf709bbc3b397673 
>   src/tests/containerizer/cgroups2_tests.cpp 
> cb1e229f7f40aa71f57417c33fccb2cfb313a1f5 
> 
> 
> Diff: https://reviews.apache.org/r/75026/diff/4/
> 
> 
> Testing
> -------
> 
> All Cgroups2 tests pass i.e. the generated ebpf files pass the verifiers, 
> tests added for new behavior for when device is on both allow and deny list, 
> and test that mismatched entries are ignored.
> 
> 
> Thanks,
> 
> Jason Zhou
> 
>

Reply via email to