Commit Graph

6 Commits

Author SHA1 Message Date
Aleksa Sarai 24388be71e
configs: use different types for .Devices and .Resources.Devices
Making them the same type is simply confusing, but also means that you
could accidentally use one in the wrong context. This eliminates that
problem. This also includes a whole bunch of cleanups for the types
within DeviceRule, so that they can be used more ergonomically.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-05-13 17:38:45 +10:00
Aleksa Sarai 60e21ec26e
specconv: remove default /dev/console access
/dev/console is a host resouce which gives a bunch of permissions that
we really shouldn't be giving to containers, not to mention that
/dev/console in containers is actually /dev/pts/$n. Drop this since
arguably this is a fairly scary thing to allow...

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-05-13 17:38:45 +10:00
Alice Frosi b18a9650f8 test: update devicefilter tests
The test cases need to take into account the assembly modifications.
The instruction:
	LdXMemH dst: r2 src: r1 off: 0 imm: 0
has been replaced with:
        LdXMemW dst: r2 src: r1 off: 0 imm: 0
        And32Imm dst: r2 imm: 65535

Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
2020-05-08 07:31:05 +01:00
Alice Frosi 128cb60f58 ebpf: fix big endian issue for s390x
Load the full 32 bits word and take the lower 16 bits, instead of
reading just 16 bits.

Same fix as 07bae05e61

Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
2020-05-08 07:31:05 +01:00
Akihiro Suda faf1e44ea9 cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error
Fix #2167

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-11-07 15:43:27 +09:00
Akihiro Suda faf673ee45 cgroup2: port over eBPF device controller from crun
The implementation is based on https://github.com/containers/crun/blob/0.10.2/src/libcrun/ebpf.c

Although ebpf.c is originally licensed under LGPL-3.0-or-later, the author
Giuseppe Scrivano agreed to relicense the file in Apache License 2.0:
https://github.com/opencontainers/runc/issues/2144#issuecomment-543116397

See libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go for tested configurations.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-31 14:01:46 +09:00