commit f91700d71987203c2dd9f0917ad53be0eb39a655
author Jason Zhou <jasonzhou460@gmail.com> Wed Jul 10 15:37:50 2024 -0400
committer Benjamin Mahler <bmahler@apache.org> Wed Jul 10 16:18:55 2024 -0400
tree e1d1bceff4de124d934a64a97e650e48048ac017
parent 8cf287778371c13ee7e88fa428424b3c0fbc7ff0

[cgroups2] Fix allow deny semantics for device access.

Currently, the EBPF program we generate has the behavior where the deny
list has no effect, as we will allow device access iff the device
matched with an allow entry.

Instead we want to grant access to a device iff it is in a cgroup's
allow list *and not in its deny list.*

This means that we need to change our existing logic, which exits on the
first match. It is not our desired behavior because the current EBPF
program construction logic puts the allow-device checks before the
deny-device checks, meaning that if a device is on both allow and deny
lists for a cgroup, it will be granted access.

This change revamps the EBPF program construction to now check both the
allow and deny list of a cgroup before determining whether access may be
granted. Specifically, if a device is matched with an entry inside the
allow list, we will also be checking if it matches with any entry on
the deny list, and deny the device's access if that is the case.

We also avoid generating specific parts of the EBPF program code to
avoid creating unreachable code, explanations with a diagram are
attached above the cgroups2::devices::DeviceProgram::build function.

Review: https://reviews.apache.org/r/75026/