Re: Review Request 75109: [ebpf] Correct ebpf deny block behavior

Thu, 25 Jul 2024 07:31:49 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75109/#review226717
-----------------------------------------------------------




src/linux/cgroups2.cpp
Lines 1477 (patched)
<https://reviews.apache.org/r/75109/#comment314996>

    I was debating whether to print the allow/deny lists but decided against it 
because it was passed in from the outside.



src/tests/containerizer/cgroups2_tests.cpp
Lines 640 (patched)
<https://reviews.apache.org/r/75109/#comment314997>

    Most changes here are just to convert potentially unsafe dereferences to 
use CHECK_NOTERROR


- Jason Zhou


On July 25, 2024, 2:23 p.m., Jason Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/75109/
> -----------------------------------------------------------
> 
> (Updated July 25, 2024, 2:23 p.m.)
> 
> 
> Review request for mesos and Benjamin Mahler.
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Currently, the deny block matches a device access iff all accesses
> match on the deny block. For example, a rw access would not match the
> deny block even if the deny block had w access specified.
> 
> We would expect that the deny block should deny all accesses if the
> type, major, and minor number matches, and if any of the device accesses
> overlap with what's specified in the deny block.
> 
> Additionally, we enforce some basic validation on cgroups2::configure
> to ensure that we are able to generate a correct ebpf program.
> For the allow and deny lists passed to configure:
> 1. No Entry can have no accesses specified
> 2. No two entries on the same list can have the same type, major & minor
>    numbers.
> 3. No two entries on the same list can be encompassed by the other
>    entry.
> 
> 
> Diffs
> -----
> 
>   src/linux/cgroups2.hpp accaebdaddc85acdd96b87161ea441c77b025099 
>   src/linux/cgroups2.cpp cb3c425a46f33f5434f870c03dd7de5be3331ece 
>   src/tests/containerizer/cgroups2_tests.cpp 
> c73045632f1bc102d42852b9095a4fe6e11839bb 
> 
> 
> Diff: https://reviews.apache.org/r/75109/diff/1/
> 
> 
> Testing
> -------
> 
> Added test case to test new deny block behavior, modified existing test cases 
> to fit the validation requirements of configure(). Added specific tests to 
> test configure() validation. tests pass
> 
> 
> Thanks,
> 
> Jason Zhou
> 
>

Reply via email to