----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75026/#review226649 -----------------------------------------------------------
Ship it! Ship It! - Benjamin Mahler On July 9, 2024, 11:30 p.m., Jason Zhou wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75026/ > ----------------------------------------------------------- > > (Updated July 9, 2024, 11:30 p.m.) > > > Review request for mesos and Benjamin Mahler. > > > Repository: mesos > > > Description > ------- > > Currently, the EBPF program we generate has the behavior where the deny > list has no effect, as we will allow device access iff the device > matched with an allow entry. > > Instead we want to grant access to a device iff it is in a cgroup's > allow list *and not in its deny list.* > > This means that we need to change our existing logic, which exits on the > first match. It is not our desired behavior because the current EBPF > program construction logic puts the allow-device checks before the > deny-device checks, meaning that if a device is on both allow and deny > lists for a cgroup, it will be granted access. > > This change revamps the EBPF program construction to now check both the > allow and deny list of a cgroup before determining whether access may be > granted. Specifically, if a device is matched with an entry inside the > allow list, we will also be checking if it matches with any entry on > the deny list, and deny the device's access if that is the case. > > We also avoid generating specific parts of the EBPF program code to > avoid creating unreachable code, explanations with a diagram are > attached above the cgroups2::devices::DeviceProgram::build function. > > > Diffs > ----- > > src/linux/cgroups.hpp 9be53e31e46129f019deeda5b7690f3b4e4004ce > src/linux/cgroups.cpp c1272fbcac9926a378b0d8f69263be214fc21c5e > src/linux/cgroups2.hpp 64254d04f65128713cf3489b25bcba42590b6020 > src/linux/cgroups2.cpp d1fc2638cdf9a07199f90952e04998072021011c > src/tests/containerizer/cgroups2_tests.cpp > cb1e229f7f40aa71f57417c33fccb2cfb313a1f5 > > > Diff: https://reviews.apache.org/r/75026/diff/12/ > > > Testing > ------- > > All Cgroups2 tests pass i.e. the generated ebpf files pass the verifiers, > tests added for new behavior for when device is on both allow and deny list, > and test that mismatched entries are ignored. > > > Thanks, > > Jason Zhou > >
