From: Christian Brauner Date: Sun, 1 Dec 2019 18:39:48 +0000 (+0100) Subject: cgroups/devices: introduce ebpf device cgroup global rule types X-Git-Tag: lxc-4.0.0~90^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fda39d451e9663392d94c53927c4239a7b392533;p=thirdparty%2Flxc.git cgroups/devices: introduce ebpf device cgroup global rule types Signed-off-by: Christian Brauner --- diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c index d41f486a0..306530097 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c @@ -2303,11 +2303,13 @@ static int device_cgroup_rule_parse(struct device_item *device, const char *key, device->type = 'a'; device->major = -1; device->minor = -1; - device->global_rule = device->allow; + device->global_rule = device->allow + ? LXC_BPF_DEVICE_CGROUP_BLACKLIST + : LXC_BPF_DEVICE_CGROUP_WHITELIST; device->allow = -1; return 0; } else { - device->global_rule = -1; + device->global_rule = LXC_BPF_DEVICE_CGROUP_LOCAL_RULE; } switch (*val) { diff --git a/src/lxc/cgroups/cgroup2_devices.c b/src/lxc/cgroups/cgroup2_devices.c index 826f757df..72511ba71 100644 --- a/src/lxc/cgroups/cgroup2_devices.c +++ b/src/lxc/cgroups/cgroup2_devices.c @@ -173,6 +173,10 @@ struct bpf_program *bpf_program_new(uint32_t prog_type) prog->prog_type = prog_type; prog->kernel_fd = -EBADF; + /* + * By default a whitelist is used unless the user tells us otherwise. + */ + prog->device_list_type = LXC_BPF_DEVICE_CGROUP_WHITELIST; return move_ptr(prog); } @@ -216,8 +220,8 @@ int bpf_program_append_device(struct bpf_program *prog, struct device_item *devi return minus_one_set_errno(EINVAL); /* This is a global rule so no need to append anything. */ - if (device->global_rule >= 0) { - prog->blacklist = device->global_rule; + if (device->global_rule > LXC_BPF_DEVICE_CGROUP_LOCAL_RULE) { + prog->device_list_type = device->global_rule; return 0; } @@ -292,7 +296,7 @@ int bpf_program_append_device(struct bpf_program *prog, struct device_item *devi int bpf_program_finalize(struct bpf_program *prog) { struct bpf_insn ins[] = { - BPF_MOV64_IMM(BPF_REG_0, prog->blacklist ? 1 : 0), + BPF_MOV64_IMM(BPF_REG_0, prog->device_list_type), BPF_EXIT_INSN(), }; @@ -300,7 +304,9 @@ int bpf_program_finalize(struct bpf_program *prog) return minus_one_set_errno(EINVAL); TRACE("Implementing %s bpf device cgroup program", - prog->blacklist ? "blacklist" : "whitelist"); + prog->device_list_type == LXC_BPF_DEVICE_CGROUP_BLACKLIST + ? "blacklist" + : "whitelist"); return bpf_program_add_instructions(prog, ins, ARRAY_SIZE(ins)); } @@ -443,9 +449,12 @@ int bpf_list_add_device(struct lxc_conf *conf, struct device_item *device) if (cur->global_rule != -1 && device->global_rule != -1) { TRACE("Switched from %s to %s", - cur->global_rule == 0 ? "whitelist" : "blacklist", - device->global_rule == 0 ? "whitelist" - : "blacklist"); + cur->global_rule == LXC_BPF_DEVICE_CGROUP_WHITELIST + ? "whitelist" + : "blacklist", + device->global_rule == LXC_BPF_DEVICE_CGROUP_WHITELIST + ? "whitelist" + : "blacklist"); cur->global_rule = device->global_rule; return 1; } diff --git a/src/lxc/cgroups/cgroup2_devices.h b/src/lxc/cgroups/cgroup2_devices.h index a02735a1a..de37cd40e 100644 --- a/src/lxc/cgroups/cgroup2_devices.h +++ b/src/lxc/cgroups/cgroup2_devices.h @@ -63,7 +63,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) #endif struct bpf_program { - bool blacklist; + int device_list_type; int kernel_fd; uint32_t prog_type; diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 9142d3171..cfd745616 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -230,15 +230,22 @@ struct lxc_state_client { lxc_state_t states[MAX_STATE]; }; +enum { + LXC_BPF_DEVICE_CGROUP_WHITELIST = 0, + LXC_BPF_DEVICE_CGROUP_BLACKLIST = 1, + LXC_BPF_DEVICE_CGROUP_LOCAL_RULE = -1, +}; + struct device_item { char type; int major; int minor; char access[4]; int allow; - /* -1 -> no global rule - * 0 -> whitelist (deny all) - * 1 -> blacklist (allow all) + /* + * LXC_BPF_DEVICE_CGROUP_LOCAL_RULE -> no global rule + * LXC_BPF_DEVICE_CGROUP_WHITELIST -> whitelist (deny all) + * LXC_BPF_DEVICE_CGROUP_BLACKLIST -> blacklist (allow all) */ int global_rule; };