Re: Review Request 75026: [cgroups2] Fix allow deny semantics for device access.

Tue, 09 Jul 2024 16:30:22 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75026/
-----------------------------------------------------------

(Updated July 9, 2024, 11:30 p.m.)


Review request for mesos and Benjamin Mahler.


Changes
-------

Rewrite the configure function into static function


Summary (updated)
-----------------

[cgroups2] Fix allow deny semantics for device access.


Repository: mesos


Description (updated)
-------

Currently, the EBPF program we generate has the behavior where the deny
list has no effect, as we will allow device access iff the device
matched with an allow entry.

Instead we want to grant access to a device iff it is in a cgroup's
allow list *and not in its deny list.*

This means that we need to change our existing logic, which exits on the
first match. It is not our desired behavior because the current EBPF
program construction logic puts the allow-device checks before the
deny-device checks, meaning that if a device is on both allow and deny
lists for a cgroup, it will be granted access.

This change revamps the EBPF program construction to now check both the
allow and deny list of a cgroup before determining whether access may be
granted. Specifically, if a device is matched with an entry inside the
allow list, we will also be checking if it matches with any entry on
the deny list, and deny the device's access if that is the case.

We also avoid generating specific parts of the EBPF program code to
avoid creating unreachable code, explanations with a diagram are
attached above the cgroups2::devices::DeviceProgram::build function.


Diffs (updated)
-----

  src/linux/cgroups.hpp 9be53e31e46129f019deeda5b7690f3b4e4004ce 
  src/linux/cgroups.cpp c1272fbcac9926a378b0d8f69263be214fc21c5e 
  src/linux/cgroups2.hpp 64254d04f65128713cf3489b25bcba42590b6020 
  src/linux/cgroups2.cpp d1fc2638cdf9a07199f90952e04998072021011c 
  src/tests/containerizer/cgroups2_tests.cpp 
cb1e229f7f40aa71f57417c33fccb2cfb313a1f5 


Diff: https://reviews.apache.org/r/75026/diff/11/

Changes: https://reviews.apache.org/r/75026/diff/10-11/


Testing
-------

All Cgroups2 tests pass i.e. the generated ebpf files pass the verifiers, tests 
added for new behavior for when device is on both allow and deny list, and test 
that mismatched entries are ignored.


Thanks,

Jason Zhou

Reply via email to