-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cgroup2: devices filtering cleanup #2951
cgroup2: devices filtering cleanup #2951
Commits on May 23, 2021
-
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Configuration menu - View commit details
-
Copy full SHA for c7c70ce - Browse repository at this point
Copy the full SHA c7c70ceView commit details -
libcontainer: fix integration failure in "make test"
When running inside a Docker container, systemd is not available. The new TestFdLeaksSystemd forgot to include the relevant t.Skip section. Fixes: a7feb42 ("libct/int: add TestFdLeaksSystemd") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Configuration menu - View commit details
-
Copy full SHA for 5490451 - Browse repository at this point
Copy the full SHA 5490451View commit details -
devices: add emulator.Rules shorthand
The devices cgroup emulator is also useful for removing unneeded rules as well as computing what the final default-allow state of the filter will be (allow-list or deny-list). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Configuration menu - View commit details
-
Copy full SHA for dcc1cf7 - Browse repository at this point
Copy the full SHA dcc1cf7View commit details -
cgroup2: devices: switch to emulator for cgroupv1 parity
There were several issues with the previous cgroupv2 devices filter generator implementation, stemming from the previous implementation using a few too many tricks to implement the correct cgroup behaviour (rules were handled in reverse order, with wildcards having particularly special interpretations). As a result, some slightly odd configurations with rules in specific orders could result in incorrect filters being generated. By switching to the emulator which is already used by cgroupv1, we can guarantee that the behaviour of filters in both cgroup versions will be identical, as well as making use of the hardenings in the emulator (not allowing users to add deny rules the kernel will ignore). (Note that because the ordering of the devices emulator rules is deterministic and based on the rule value, the existing test rules had to be reordered slightly.) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Configuration menu - View commit details
-
Copy full SHA for 98a3c0e - Browse repository at this point
Copy the full SHA 98a3c0eView commit details -
cgroup2: devices: replace all existing filters when attaching
In the normal cases (only one existing filter or no existing filters), just make use of BPF_F_REPLACE if there is one existing filter. However if there is more than one filter applied, we should probably remove all other filters since the alternative is that we will never remove our old filters. The only two other viable ways of solving this problem would be to use BPF pins to either pin the eBPF program using a predictable name (so we can always only replace *our* programs) or to switch away from custom programs and instead use eBPF maps (which are pinned) and thus we just update the map conntents to update the ruleset. Unfortunately these both would add a hard requirement of bpffs and would require at least a minor rewrite of the eBPF filtering code -- which is better left for another time. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Configuration menu - View commit details
-
Copy full SHA for d0f2c25 - Browse repository at this point
Copy the full SHA d0f2c25View commit details -
integration: add repeated "runc update" test
This is to ensure that we aren't leaking eBPF programs after "runc update". Unfortunately we cannot directly test the behaviour of cgroup program updates in an integration test because "runc update" doesn't support that behaviour at the moment. So instead we rely on the fact that each "runc update" implicitly triggers the devices rules to be updated. Without the previous patches applied, this new test will fail with errors (on cgroupv2 systems). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Configuration menu - View commit details
-
Copy full SHA for 00119c8 - Browse repository at this point
Copy the full SHA 00119c8View commit details