Lsm cgroup api #1135
Lsm cgroup api #1135
Conversation
✅ Deploy Preview for aya-rs-docs ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Please avoid opening a new PR each time. There are comments I left in #1131 that remain unaddressed. |
altugbozkurt07
force-pushed
the
lsm_cgroup_api
branch
from
92a61ab to
6a0721a
Compare
|
@tamird sorry, since we have changed the way we implemented api, i thought it deserved a new pr. For the comments that remain unaddressed; Am i missing something other than what is stated in your comments? |
altugbozkurt07
force-pushed
the
lsm_cgroup_api
branch
from
6a0721a to
91ff050
Compare
aya/src/programs/lsm_cgroup.rs
Outdated
| /// The minimum kernel version required to use this feature is 6.0. | ||
| /// | ||
| /// # Examples | ||
| /// ## LSM with cgroup attachment type |
There was a problem hiding this comment.
if i remove this subheading, should i also remove it from lsm.rs ?
| let prog_fd = self.fd()?; | ||
| let prog_fd = prog_fd.as_fd(); | ||
| let cgroup_fd = cgroup.as_fd(); | ||
| let attach_type = self.data.expected_attach_type.unwrap(); |
There was a problem hiding this comment.
| let attach_type = self.data.expected_attach_type.unwrap(); | |
| let attach_type = Some(BPF_LSM_CGROUP); |
|
Please let us know when the tests are passing, or if you need help understanding the failures. |
altugbozkurt07
force-pushed
the
lsm_cgroup_api
branch
from
91ff050 to
f2493ab
Compare
|
@dave-tucker thanks for your detailed feedback, i have updated the commit accordingly. Let me know if things are good to go for this one. |
altugbozkurt07
force-pushed
the
lsm_cgroup_api
branch
2 times, most recently
from
97a52dd to
f67626f
Compare
|
Hey @alessandrod, this pull request changes the Aya Public API and requires your review. |
altugbozkurt07
force-pushed
the
lsm_cgroup_api
branch
from
f67626f to
4900de7
Compare
altugbozkurt07
force-pushed
the
lsm_cgroup_api
branch
from
4900de7 to
9381fcb
Compare
There was a problem hiding this comment.
Reviewed 5 of 15 files at r1, 1 of 8 files at r2, 14 of 15 files at r3, all commit messages.
Dismissed @dave-tucker from 17 discussions.
Reviewable status: 20 of 23 files reviewed, 10 unresolved discussions (waiting on @alessandrod and @altugbozkurt07)
-- commits line 2 at r3:
why is this a double colon?
xtask/src/run.rs line 416 at r3 (raw file):
// Heed the advice and boot with noapic. We don't know why this happens. kernel_args.push(" noapic"); kernel_args.push(" lsm=lockdown,capability,bpf");
Please add a comment.
test/integration-test/src/tests/lsm.rs line 36 at r3 (raw file):
let cgroup_path = Path::new("/sys/fs/cgroup/lsm_cgroup_test"); if !cgroup_path.exists() {
i think you can drop this check
test/integration-test/src/tests/lsm.rs line 40 at r3 (raw file):
} let _ = prog.attach(File::open(cgroup_path).unwrap()).unwrap();
what's the deal with this let _?
test/integration-test/src/tests/lsm.rs line 42 at r3 (raw file):
let _ = prog.attach(File::open(cgroup_path).unwrap()).unwrap(); match unsafe { fork().expect("Failed to fork process") } {
why do we need this fork? if the goal is to show that per-pid filtering occurs, you aren't doing that right now.
test/integration-test/src/tests/lsm.rs line 50 at r3 (raw file):
let mut f = File::create(cgroup_path.join("cgroup.procs")) .expect("could not open cgroup procs"); f.write_fmt(format_args!("{}", pid.as_raw() as u64))
how about write!(&mut f, "{pid}")?
test/integration-test/src/tests/lsm.rs line 59 at r3 (raw file):
ForkResult::Child => { assert_matches::assert_matches!(TcpListener::bind("127.0.0.1:12345"), Ok(listener) => assert_eq!( listener.local_addr().unwrap(), SocketAddr::V4(SocketAddrV4::new(Ipv4Addr::new(127, 0, 0, 1), 12345)))
do we need this assertion? probably all we care about is that it didn't error
test/integration-test/src/tests/lsm.rs line 80 at r3 (raw file):
prog.attach().unwrap(); assert_matches::assert_matches!(TcpListener::bind("127.0.0.1:12345"), Err(e) => assert_eq!(
we should also do this before attaching the program.
Hi @vadorovsky, @dave-tucker,
This is the refactored work based on the discussion we have had on discord.
Let me know if i missed anything.
Best
This change is