cgroups/devices: introduce ebpf device cgroup global rule types

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index d41f486a0166d7ec877c04663181d281f29bc926..306530097f9d2badf6078ae1bb13e3b6a63778bd 100644 (file)
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -2303,11 +2303,13 @@ static int device_cgroup_rule_parse(struct device_item *device, const char *key,
                device->type = 'a';
                device->major = -1;
                device->minor = -1;
-               device->global_rule = device->allow;
+               device->global_rule = device->allow
+                                         ? LXC_BPF_DEVICE_CGROUP_BLACKLIST
+                                         : LXC_BPF_DEVICE_CGROUP_WHITELIST;
                device->allow = -1;
                return 0;
        } else {
-               device->global_rule = -1;
+               device->global_rule = LXC_BPF_DEVICE_CGROUP_LOCAL_RULE;
        }
 
        switch (*val) {

diff --git a/src/lxc/cgroups/cgroup2_devices.c b/src/lxc/cgroups/cgroup2_devices.c
index 826f757dfca24a6fb3e3cb111d24f2eb08c439ee..72511ba7119ad9f695570713c7b06e4934e7a94c 100644 (file)
--- a/src/lxc/cgroups/cgroup2_devices.c
+++ b/src/lxc/cgroups/cgroup2_devices.c
@@ -173,6 +173,10 @@ struct bpf_program *bpf_program_new(uint32_t prog_type)
 
        prog->prog_type = prog_type;
        prog->kernel_fd = -EBADF;
+       /*
+        * By default a whitelist is used unless the user tells us otherwise.
+        */
+       prog->device_list_type = LXC_BPF_DEVICE_CGROUP_WHITELIST;
 
        return move_ptr(prog);
 }
@@ -216,8 +220,8 @@ int bpf_program_append_device(struct bpf_program *prog, struct device_item *devi
                return minus_one_set_errno(EINVAL);
 
        /* This is a global rule so no need to append anything. */
-       if (device->global_rule >= 0) {
-               prog->blacklist = device->global_rule;
+       if (device->global_rule > LXC_BPF_DEVICE_CGROUP_LOCAL_RULE) {
+               prog->device_list_type = device->global_rule;
                return 0;
        }
 
@@ -292,7 +296,7 @@ int bpf_program_append_device(struct bpf_program *prog, struct device_item *devi
 int bpf_program_finalize(struct bpf_program *prog)
 {
        struct bpf_insn ins[] = {
-           BPF_MOV64_IMM(BPF_REG_0, prog->blacklist ? 1 : 0),
+           BPF_MOV64_IMM(BPF_REG_0, prog->device_list_type),
            BPF_EXIT_INSN(),
        };
 
@@ -300,7 +304,9 @@ int bpf_program_finalize(struct bpf_program *prog)
                return minus_one_set_errno(EINVAL);
 
        TRACE("Implementing %s bpf device cgroup program",
-             prog->blacklist ? "blacklist" : "whitelist");
+             prog->device_list_type == LXC_BPF_DEVICE_CGROUP_BLACKLIST
+                 ? "blacklist"
+                 : "whitelist");
        return bpf_program_add_instructions(prog, ins, ARRAY_SIZE(ins));
 }
 
@@ -443,9 +449,12 @@ int bpf_list_add_device(struct lxc_conf *conf, struct device_item *device)
 
                if (cur->global_rule != -1 && device->global_rule != -1) {
                        TRACE("Switched from %s to %s",
-                             cur->global_rule == 0 ? "whitelist" : "blacklist",
-                             device->global_rule == 0 ? "whitelist"
-                                                      : "blacklist");
+                             cur->global_rule == LXC_BPF_DEVICE_CGROUP_WHITELIST
+                                 ? "whitelist"
+                                 : "blacklist",
+                             device->global_rule == LXC_BPF_DEVICE_CGROUP_WHITELIST
+                                 ? "whitelist"
+                                 : "blacklist");
                        cur->global_rule = device->global_rule;
                        return 1;
                }

diff --git a/src/lxc/cgroups/cgroup2_devices.h b/src/lxc/cgroups/cgroup2_devices.h
index a02735a1ab921a2b045833e0399d716f3abc0bd6..de37cd40ea2d3779a9d67bd62b13b883f882853b 100644 (file)
--- a/src/lxc/cgroups/cgroup2_devices.h
+++ b/src/lxc/cgroups/cgroup2_devices.h
@@ -63,7 +63,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size)
 #endif
 
 struct bpf_program {
-       bool blacklist;
+       int device_list_type;
        int kernel_fd;
        uint32_t prog_type;
 

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 9142d31710e550d9f06265e02b8c75c395a0c483..cfd74561602b9f890bcc68593b32e141d1ea40bf 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -230,15 +230,22 @@ struct lxc_state_client {
        lxc_state_t states[MAX_STATE];
 };
 
+enum {
+       LXC_BPF_DEVICE_CGROUP_WHITELIST  =  0,
+       LXC_BPF_DEVICE_CGROUP_BLACKLIST  =  1,
+       LXC_BPF_DEVICE_CGROUP_LOCAL_RULE = -1,
+};
+
 struct device_item {
        char type;
        int major;
        int minor;
        char access[4];
        int allow;
-       /* -1 -> no global rule
-        *  0 -> whitelist (deny all)
-        *  1 -> blacklist (allow all)
+       /*
+        * LXC_BPF_DEVICE_CGROUP_LOCAL_RULE -> no global rule
+        * LXC_BPF_DEVICE_CGROUP_WHITELIST  -> whitelist (deny all)
+        * LXC_BPF_DEVICE_CGROUP_BLACKLIST  -> blacklist (allow all)
         */
        int global_rule;
 };