From a0f0e9df1d0a2291ae50165f45a2adc3e31b37c2 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Fri, 19 Feb 2021 04:31:40 +0100 Subject: [PATCH] bpf: comment bpf_cgroup_devices_update() Signed-off-by: Christian Brauner --- src/lxc/cgroups/cgroup2_devices.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/lxc/cgroups/cgroup2_devices.c b/src/lxc/cgroups/cgroup2_devices.c index 0fe99ce58..98e1f73c4 100644 --- a/src/lxc/cgroups/cgroup2_devices.c +++ b/src/lxc/cgroups/cgroup2_devices.c @@ -619,6 +619,20 @@ bool bpf_cgroup_devices_attach(struct cgroup_ops *ops, return log_trace(true, "Attached bpf program"); } +/* + * TODO: Clarify semantics. + * Specifically, when a user switches the type of device program, i.e. switches + * from blocking all devices by default to allowing all devices by default or + * vica versa do we reactivate the devices we have recorded so far or not? + * Specific example: The user configures a device program that blocks all + * devices by default apart from a small list of devices such as /dev/zero and + * /dev/null. Now the user switches to a device program that allows all devices + * by default. Naturally we skip all specific devices since they are + * encompassed in the global allow rule. But now assume the user switches back + * to a device program that blocks all devices by default. Do we reactivate the + * previously specific allowed devices, i.e. do we grant access to /dev/zero + * and /dev/null? My gut feeling is no, but I'm not sure. + */ bool bpf_cgroup_devices_update(struct cgroup_ops *ops, struct bpf_devices *bpf_devices, struct device_item *new) -- 2.47.2