Systemd

picnoir/Systemd

Fork 0

Commit graph

Author	SHA1	Message	Date
Pavel Hrdina	2af3eed1aa	bpf-devices: fix order of removing and adding BPF programs The current code has multiple issues and it should never be done like that. If someone updates list of allowed devices we should attach new program before we remove the old one for two reasons: 1. It takes some time to attach new program so there is a period of time when all devices are allowed. 2. BPF programs have limit for number of instructions (4096) and if user adds a lot of devices we might hit the instruction limit and the new program will not be accepted which will result in allow all devices because the old program was already removed. In order to attach the new program before we remove the old one we need to use BPF_F_ALLOW_MULTI flag every time. Signed-off-by: Pavel Hrdina <phrdina@redhat.com>	2018-11-13 14:03:01 +01:00
Pavel Hrdina	0b82cd2502	bpf-devices: fix cgroup v2 devices detection If cgroup v2 bpf devices is supported we need to return 1, not -1. Signed-off-by: Pavel Hrdina <phrdina@redhat.com>	2018-11-13 12:58:05 +01:00
Roman Gushchin	084c700780	core: support cgroup v2 device controller Cgroup v2 provides the eBPF-based device controller, which isn't currently supported by systemd. This commit aims to provide such support. There are no user-visible changes, just the device policy and whitelist start working if cgroup v2 is used.	2018-10-09 09:47:51 -07:00

Author

SHA1

Message

Date

Pavel Hrdina

2af3eed1aa

bpf-devices: fix order of removing and adding BPF programs

The current code has multiple issues and it should never be done like
that.  If someone updates list of allowed devices we should attach new
program before we remove the old one for two reasons:

1. It takes some time to attach new program so there is a period of time
when all devices are allowed.

2. BPF programs have limit for number of instructions (4096) and if user
adds a lot of devices we might hit the instruction limit and the new
program will not be accepted which will result in allow all devices
because the old program was already removed.

In order to attach the new program before we remove the old one we need
to use BPF_F_ALLOW_MULTI flag every time.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>

2018-11-13 14:03:01 +01:00

Pavel Hrdina

0b82cd2502

bpf-devices: fix cgroup v2 devices detection

If cgroup v2 bpf devices is supported we need to return 1, not -1.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>

2018-11-13 12:58:05 +01:00

Roman Gushchin

084c700780

core: support cgroup v2 device controller

Cgroup v2 provides the eBPF-based device controller, which isn't currently
supported by systemd. This commit aims to provide such support.

There are no user-visible changes, just the device policy and whitelist
start working if cgroup v2 is used.

2018-10-09 09:47:51 -07:00

3 commits