1. 07 1月, 2020 2 次提交
  2. 18 11月, 2019 1 次提交
  3. 15 11月, 2019 8 次提交
    • P
      vircgroup: introduce virCgroupV2DevicesGetKey · b18b0ce6
      Pavel Hrdina 提交于
      Device rules are stored in BPF map that is a hash type, this function
      will create a key based on major and minor id of device.
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      b18b0ce6
    • P
      vircgroup: introduce virCgroupV2DeviceGetPerms · 63cfe7b8
      Pavel Hrdina 提交于
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      63cfe7b8
    • P
      vircgroup: introduce virCgroupV2DevicesRemoveProg · 6a24bd75
      Pavel Hrdina 提交于
      We need to close our FD that we have for BPF program and map in order
      to let kernel remove all resources once the cgroup is removed as well.
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      6a24bd75
    • P
      vircgroup: introduce virCgroupV2DevicesPrepareProg · ef747499
      Pavel Hrdina 提交于
      This function will be called for every virCgroup(Allow|Deny)* API in
      order to prepare BPF program for guest.  Since libvirtd can be restarted
      at any point we will first try to detect existing progam, if there is
      none we will create a new empty BPF program and lastly if we don't have
      any space left in the existing BPF map we will create a new copy of the
      BPF map with more space and attach a new program with that map into the
      guest cgroup.
      
      This solution allows us to start with reasonably small BPF map consuming
      only small amount of memory and if needed we can easily extend the BPF
      map if there is a lot of host devices used in guest or if user wants to
      hot-plug a lot of devices once the guest is running.
      
      Since there is no way how to reallocate existing BPF map we need to
      create a new copy if we run out of space in current BPF map.
      
      This overcomes all the limitations in BPF:
      
          - map used in program has to be created before the program is loaded
            into kernel
      
          - once map is created you cannot change its size
      
          - you cannot replace map in existing program
      
          - you cannot use an array of maps because it can store FD to maps
            of one specific size so we would not be able to use it to overcome
            the second issue
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      ef747499
    • P
      vircgroup: introduce virCgroupV2DevicesCreateProg · afa27886
      Pavel Hrdina 提交于
      This function creates new BPF program with new empty BPF map with the
      default size and attaches it to the guest cgroup.
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      afa27886
    • P
      vircgroup: introduce virCgroupV2DevicesDetectProg · ce11a5c5
      Pavel Hrdina 提交于
      This function will be called if libvirtd was restarted while some
      domains were running.  It will try to detect existing programs attached
      to the guest cgroup.
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      ce11a5c5
    • P
      vircgroup: introduce virCgroupV2DevicesAttachProg · 48423a0b
      Pavel Hrdina 提交于
      This function loads the BPF prog with prepared map into kernel and
      attaches it into guest cgroup.  It can be also used to replace existing
      program in the cgroup if we need to resize BPF map to store more rules
      for devices. The old program will be closed and removed from kernel.
      
      There are two possible ways how to create BPF program:
      
          - One way is to write simple C-like code which can by compiled into
            BPF object file which can be loaded into kernel using elfutils.
      
          - The second way is to define macros which look like assembler
            instructions and can be used directly to create BPF program that
            can be directly loaded into kernel.
      
      Since the program is not too complex we can use the second option.
      
      If there is no program, all devices are allowed, if there is some
      program it is executed and based on the exit status the access is
      denied for 0 and allowed for 1.
      
      Our program will follow these rules:
      
          - first it will try to look for the specific key using major and
            minor to see if there is any rule for that specific device
      
          - if there is no specific rule it will try to look for any rule that
            matches only major of the device
      
          - if there is no match with major it will try the same but with
            minor of the device
      
          - as the last attempt it will try to look for rule for all devices
            and if there is no match it will return 0 to deny that access
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      48423a0b
    • P
      vircgroup: introduce virCgroupV2DevicesAvailable · 30b6ddc4
      Pavel Hrdina 提交于
      There is no exact way how to figure out whether BPF devices support is
      compiled into kernel.  One way is to check kernel configure options but
      this is not reliable as it may not be available.  Let's try to do
      syscall to which will list BPF cgroup device programs.
      Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      30b6ddc4