Fix cgroupv2 bpf-devices issues#10757
Conversation
If cgroup v2 bpf devices is supported we need to return 1, not -1. Signed-off-by: Pavel Hrdina <[email protected]>
|
/cc @rgushchin |
|
@Antique travis CI detected that the flags variable is now unused. It's right, that variable should be removed. Could you make such a change, please? lgtm otherwise |
poettering
added
cgroups
pid1
reviewed/needs-rework 🔨
The current code has multiple issues and it should never be done like that. If someone updates list of allowed devices we should attach new program before we remove the old one for two reasons: 1. It takes some time to attach new program so there is a period of time when all devices are allowed. 2. BPF programs have limit for number of instructions (4096) and if user adds a lot of devices we might hit the instruction limit and the new program will not be accepted which will result in allow all devices because the old program was already removed. In order to attach the new program before we remove the old one we need to use BPF_F_ALLOW_MULTI flag every time. Signed-off-by: Pavel Hrdina <[email protected]>
Thanks, fixed now. I've completely missed that one. |
poettering
added
good-to-merge/waiting-for-ci 👍
|
@Antique , thanks for fixing this! |
Summary: Rebase two fixes onto the version merged upstream: systemd/systemd#10507 systemd/systemd#10567 and backport a few more: systemd/systemd#10411 systemd/systemd#10493 systemd/systemd#10757 systemd/systemd#10876 These are almost all cgroup2 related. Reviewed By: cdown Differential Revision: D13351498 fbshipit-source-id: 87c8428d48dbb0eb2ae7d34f7381fff88f83872f
3 participants
This pull request solves two issues with cgroupv2 bpf-devices: