9:47 a.m.
This function loads the BPF prog with prepared map into kernel and
attaches it into guest cgroup. It can be also used to replace existing
program in the cgroup if we need to resize BPF map to store more rules
for devices. The old program will be closed and removed from kernel.
There are two possible ways how to create BPF program:
- One way is to write simple C-like code which can by compiled into
BPF object file which can be loaded into kernel using elfutils.
- The second way is to define macros which looks like assembler
instructions and can be used directly to create BPF program that
can be directly loaded into kernel.
Since the program is not too complex we can use the second option.
If there is no program, all devices are allowed, if there is some
program it is executed and based on the exit status the access is
denied for 0 and allowed for 1.
Our program will follow these rules:
- first it will try to look for the specific key using major and
minor to see if there is any rule for that specific device
- if there is no specific rule it will try to look for any rule that
matches only major of the device
- if there is no match with major it will try the same but with
minor of the device
- as the last attempt it will try to look for rule for all devices
and if there is no match it will return 0 to deny that access
Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/util/vircgrouppriv.h | 10 +++
src/util/vircgroupv2devices.c | 140 ++++++++++++++++++++++++++++++++++
src/util/vircgroupv2devices.h | 5 ++
4 files changed, 156 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 6a822f7d90..3fc91ce207 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1612,6 +1612,7 @@ virCgroupV1Register;
virCgroupV2Register;
# util/vircgroupv2devices.h
+virCgroupV2DevicesAttachProg;
virCgroupV2DevicesAvailable;
# util/virclosecallbacks.h
diff --git a/src/util/vircgrouppriv.h b/src/util/vircgrouppriv.h
index a6fb3bb9f8..085fea375c 100644
--- a/src/util/vircgrouppriv.h
+++ b/src/util/vircgrouppriv.h
@@ -42,10 +42,20 @@ struct _virCgroupV1Controller {
typedef struct _virCgroupV1Controller virCgroupV1Controller;
typedef virCgroupV1Controller *virCgroupV1ControllerPtr;
+struct _virCgroupV2Devices {
+ int mapfd;
+ int progfd;
+ ssize_t count;
+ ssize_t max;
+};
+typedef struct _virCgroupV2Devices virCgroupV2Devices;
+typedef virCgroupV2Devices *virCgroupV2DevicesPtr;
+
struct _virCgroupV2Controller {
int controllers;
char *mountPoint;
char *placement;
+ virCgroupV2Devices devices;
};
typedef struct _virCgroupV2Controller virCgroupV2Controller;
typedef virCgroupV2Controller *virCgroupV2ControllerPtr;
diff --git a/src/util/vircgroupv2devices.c b/src/util/vircgroupv2devices.c
index 10080d4fff..0b721a0aad 100644
--- a/src/util/vircgroupv2devices.c
+++ b/src/util/vircgroupv2devices.c
@@ -64,10 +64,150 @@ virCgroupV2DevicesAvailable(virCgroupPtr group)
VIR_FORCE_CLOSE(cgroupfd);
return ret;
}
+
+
+static int
+virCgroupV2DevicesLoadProg(int mapfd)
+{
+# define VIR_CGROUP_BPF_LOOKUP \
+ /* prepare key param on stack */ \
+ VIR_BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8), \
+ VIR_BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \
+ VIR_BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), \
+ /* lookup key (major << 32) | minor in map */ \
+ VIR_BPF_LD_MAP_FD(BPF_REG_1, mapfd), \
+ VIR_BPF_CALL_INSN(BPF_FUNC_map_lookup_elem)
+
+# define VIR_CGROUP_BPF_CHECK_PERM \
+ /* if no key skip perm check */ \
+ VIR_BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), \
+ /* get perms from map */ \
+ VIR_BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), \
+ /* get perms from ctx */ \
+ VIR_BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6, 0), \
+ /* (map perms) & (ctx perms) */ \
+ VIR_BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2), \
+ /* if (map perms) & (ctx perms) == (ctx perms) exit, otherwise continue */ \
+ VIR_BPF_JMP_REG(BPF_JNE, BPF_REG_1, BPF_REG_2, 2), \
+ /* set ret 1 and exit */ \
+ VIR_BPF_MOV64_IMM(BPF_REG_0, 1), \
+ VIR_BPF_EXIT_INSN()
+
+ struct bpf_insn prog[] = {
+ /* save ctx, argument passed to BPF program */
+ VIR_BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
+
+ /* get major from ctx and shift << 32 */
+ VIR_BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6, 4),
+ VIR_BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
+ /* get minor from ctx and | to shifted major */
+ VIR_BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_6, 8),
+ VIR_BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
+ /* lookup ((major << 32) | minor) in map and check perms */
+ VIR_CGROUP_BPF_LOOKUP,
+ VIR_CGROUP_BPF_CHECK_PERM,
+
+ /* get major from ctx and shift << 32 */
+ VIR_BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6, 4),
+ VIR_BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
+ /* use -1 as minor and | to shifted major */
+ VIR_BPF_MOV32_IMM(BPF_REG_3, -1),
+ VIR_BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
+ /* lookup ((major << 32) | -1) in map and check perms */
+ VIR_CGROUP_BPF_LOOKUP,
+ VIR_CGROUP_BPF_CHECK_PERM,
+
+ /* use -1 as major and shift << 32 */
+ VIR_BPF_MOV32_IMM(BPF_REG_2, -1),
+ VIR_BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
+ /* get minor from ctx and | to shifted major */
+ VIR_BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_6, 8),
+ VIR_BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
+ /* lookup ((-1 << 32) | minor) in map and check perms */
+ VIR_CGROUP_BPF_LOOKUP,
+ VIR_CGROUP_BPF_CHECK_PERM,
+
+ /* use -1 as key which means major = -1 and minor = -1 */
+ VIR_BPF_MOV64_IMM(BPF_REG_2, -1),
+ /* lookup -1 in map and check perms*/
+ VIR_CGROUP_BPF_LOOKUP,
+ VIR_CGROUP_BPF_CHECK_PERM,
+
+ /* no key was found, exit with 0 */
+ VIR_BPF_MOV64_IMM(BPF_REG_0, 0),
+ VIR_BPF_EXIT_INSN(),
+ };
+
+ return virBPFLoadProg(prog, BPF_PROG_TYPE_CGROUP_DEVICE, ARRAY_CARDINALITY(prog));
+}
+
+
+int
+virCgroupV2DevicesAttachProg(virCgroupPtr group,
+ int mapfd,
+ size_t max)
+{
+ int ret = -1;
+ int progfd = -1;
+ int cgroupfd = -1;
+ VIR_AUTOFREE(char *) path = NULL;
+
+ if (virCgroupPathOfController(group, VIR_CGROUP_CONTROLLER_DEVICES,
+ NULL, &path) < 0) {
+ goto cleanup;
+ }
+
+ progfd = virCgroupV2DevicesLoadProg(mapfd);
+ if (progfd < 0) {
+ virReportSystemError(errno, "%s", _("failed to load cgroup BPF
prog"));
+ goto cleanup;
+ }
+
+ cgroupfd = open(path, O_RDONLY);
+ if (cgroupfd < 0) {
+ virReportSystemError(errno, _("unable to open '%s'"), path);
+ goto cleanup;
+ }
+
+ if (virBPFAttachProg(progfd, cgroupfd, BPF_CGROUP_DEVICE) < 0) {
+ virReportSystemError(errno, "%s", _("failed to attach cgroup BPF
prog"));
+ goto cleanup;
+ }
+
+ if (group->unified.devices.progfd > 0) {
+ VIR_DEBUG("Closing existing program that was replaced by new one.");
+ VIR_FORCE_CLOSE(group->unified.devices.progfd);
+ }
+
+ group->unified.devices.progfd = progfd;
+ group->unified.devices.mapfd = mapfd;
+ group->unified.devices.max = max;
+ progfd = -1;
+ mapfd = -1;
+
+ ret = 0;
+ cleanup:
+ VIR_FORCE_CLOSE(cgroupfd);
+ VIR_FORCE_CLOSE(progfd);
+ VIR_FORCE_CLOSE(mapfd);
+ return ret;
+}
#else /* !HAVE_DECL_BPF_CGROUP_DEVICE */
bool
virCgroupV2DevicesAvailable(virCgroupPtr group ATTRIBUTE_UNUSED)
{
return false;
}
+
+
+int
+virCgroupV2DevicesAttachProg(virCgroupPtr group ATTRIBUTE_UNUSED,
+ int mapfd ATTRIBUTE_UNUSED,
+ size_t max ATTRIBUTE_UNUSED)
+{
+ virReportSystemError(ENOSYS, "%s",
+ _("cgroups v2 BPF devices not supported "
+ "with this kernel"));
+ return -1;
+}
#endif /* !HAVE_DECL_BPF_CGROUP_DEVICE */
diff --git a/src/util/vircgroupv2devices.h b/src/util/vircgroupv2devices.h
index 2ab35681db..1ba87acb00 100644
--- a/src/util/vircgroupv2devices.h
+++ b/src/util/vircgroupv2devices.h
@@ -24,4 +24,9 @@
bool
virCgroupV2DevicesAvailable(virCgroupPtr group);
+int
+virCgroupV2DevicesAttachProg(virCgroupPtr group,
+ int mapfd,
+ size_t max);
+
#endif /* LIBVIRT_VIRCGROUPV2DEVICES_H */
--
2.20.1