- 07 1月, 2020 2 次提交
-
-
由 Michal Privoznik 提交于
When allowing/denying a device in devices CGroupV2 we have to write a BPF program for it. The program we put there is merely static and all it does it looks up a device in a hash table (also known as map in BPF terminology). A map is referenced via an FD which can be acquired via virBPFCreateMap() and like any other FD it should be closed when no longer needed. However, we close it twice: the first time in virCgroupV2DevicesAttachProg() which closes it unconditionally, and the second time in either virCgroupV2DevicesCreateProg() or virCgroupV2DevicesPrepareProg(). Remove the second close. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NPavel Hrdina <phrdina@redhat.com>
-
由 Michal Privoznik 提交于
This function is not called outside of the source file where it's defined. There's no need to export it. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NPavel Hrdina <phrdina@redhat.com>
-
- 18 11月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
In virCgroupV2DevicesReallocMap() we are debug printing both arguments passed to the function. However, the @size argument is type of size_t but '%lu' is used to format it. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 15 11月, 2019 8 次提交
-
-
由 Pavel Hrdina 提交于
Device rules are stored in BPF map that is a hash type, this function will create a key based on major and minor id of device. Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Pavel Hrdina 提交于
Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Pavel Hrdina 提交于
We need to close our FD that we have for BPF program and map in order to let kernel remove all resources once the cgroup is removed as well. Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Pavel Hrdina 提交于
This function will be called for every virCgroup(Allow|Deny)* API in order to prepare BPF program for guest. Since libvirtd can be restarted at any point we will first try to detect existing progam, if there is none we will create a new empty BPF program and lastly if we don't have any space left in the existing BPF map we will create a new copy of the BPF map with more space and attach a new program with that map into the guest cgroup. This solution allows us to start with reasonably small BPF map consuming only small amount of memory and if needed we can easily extend the BPF map if there is a lot of host devices used in guest or if user wants to hot-plug a lot of devices once the guest is running. Since there is no way how to reallocate existing BPF map we need to create a new copy if we run out of space in current BPF map. This overcomes all the limitations in BPF: - map used in program has to be created before the program is loaded into kernel - once map is created you cannot change its size - you cannot replace map in existing program - you cannot use an array of maps because it can store FD to maps of one specific size so we would not be able to use it to overcome the second issue Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Pavel Hrdina 提交于
This function creates new BPF program with new empty BPF map with the default size and attaches it to the guest cgroup. Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Pavel Hrdina 提交于
This function will be called if libvirtd was restarted while some domains were running. It will try to detect existing programs attached to the guest cgroup. Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Pavel Hrdina 提交于
This function loads the BPF prog with prepared map into kernel and attaches it into guest cgroup. It can be also used to replace existing program in the cgroup if we need to resize BPF map to store more rules for devices. The old program will be closed and removed from kernel. There are two possible ways how to create BPF program: - One way is to write simple C-like code which can by compiled into BPF object file which can be loaded into kernel using elfutils. - The second way is to define macros which look like assembler instructions and can be used directly to create BPF program that can be directly loaded into kernel. Since the program is not too complex we can use the second option. If there is no program, all devices are allowed, if there is some program it is executed and based on the exit status the access is denied for 0 and allowed for 1. Our program will follow these rules: - first it will try to look for the specific key using major and minor to see if there is any rule for that specific device - if there is no specific rule it will try to look for any rule that matches only major of the device - if there is no match with major it will try the same but with minor of the device - as the last attempt it will try to look for rule for all devices and if there is no match it will return 0 to deny that access Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Pavel Hrdina 提交于
There is no exact way how to figure out whether BPF devices support is compiled into kernel. One way is to check kernel configure options but this is not reliable as it may not be available. Let's try to do syscall to which will list BPF cgroup device programs. Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-