----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75026/ -----------------------------------------------------------
(Updated July 3, 2024, 8:15 p.m.) Review request for mesos and Benjamin Mahler. Changes ------- Revamp logic to remove reliance on spare register R6, added more tests, improved code generation to avoid unreachable code, added more documentation + diagram for example EBPF file structure Repository: mesos Description (updated) ------- In cgroups2, we want our EBPF file to only grant access to a device if it is in a cgroup's allow list and not in its deny list. This means that we need to change our existing logic, which exits on the first match. It is not our desired behavior because the current EBPF program construction logic puts the allow-device checks before the deny-device checks, meaning that if a device is on both allow and deny lists for a cgroup, it will be granted access. This change revamps the EBPF program construction to now check both the allow and deny list of a cgroup before determining whether access may be granted. Specifically, if a device is matched with an entry inside the allow list, we will also be checking if it matches with any entry on the deny list, and deny the device's access if that is the case. We also avoid generating specific parts of the EBPF program code to avoid creating unreachable code, explanations with a diagram are attached above the cgroups2::devices::DeviceProgram::configure function This patch implements the logic change, and removes functions that are no longer necessary for the DeviceProgram class. We now pass the entire allow and deny list to a configure function inside the DeviceProgram object, which will create a ebpf program with the updated logic and attempt to attach it to the cgroup. Diffs (updated) ----- src/linux/cgroups2.hpp 64254d04f65128713cf3489b25bcba42590b6020 src/linux/cgroups2.cpp d1fc2638cdf9a07199f90952e04998072021011c src/tests/containerizer/cgroups2_tests.cpp cb1e229f7f40aa71f57417c33fccb2cfb313a1f5 Diff: https://reviews.apache.org/r/75026/diff/5/ Changes: https://reviews.apache.org/r/75026/diff/4-5/ Testing ------- All Cgroups2 tests pass i.e. the generated ebpf files pass the verifiers, tests added for new behavior for when device is on both allow and deny list, and test that mismatched entries are ignored. Thanks, Jason Zhou
