Class: OsCtld::Devices::V2::BpfProgram

Inherits:
Object
  • Object
show all
Includes:
OsCtl::Lib::Utils::Log
Defined in:
lib/osctld/devices/v2/bpf_program.rb

Overview

Create/destroy & attach/detach BPF programs for devices access control

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(name, devices) ⇒ BpfProgram

Create a new program

The device list can be nil. In that case, the program cannot be loaded into the kernel, because we don’t know its contents, but we can still create/destroy links or unload the program from the kernel.

Parameters:



23
24
25
26
27
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 23

def initialize(name, devices)
  @name = name
  @devices = devices
  @path = BpfFs.prog_pin_path(name)
end

Instance Attribute Details

#nameString (readonly)

Returns:

  • (String) 


9
10
11
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 9

def name
  @name
end

#pathString (readonly)

Pin file path

Returns:

  • (String) 


13
14
15
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 13

def path
  @path
end

Instance Method Details

#attach(link) ⇒ Object

Attach program to cgroup

Parameters:



71
72
73
74
75
76
77
78
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 71

def attach(link)
  run_devcgprog(
    'attach',
    path,
    link.cgroup_path,
    link.path
  )
end

#attached?(link) ⇒ Boolean

Check if program is attached to a cgroup

Note that even if this method returns ‘true`, the link may still be broken if the underlying cgroup has been destroyed and recreated. We have no way of verifying it using BPF FS.

Parameters:

Returns:

  • (Boolean) 


65
66
67
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 65

def attached?(link)
  BpfFs.link_pinned?(link.pool_name, link.name)
end

#createObject

Load the program to the kernel



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 35

def create
  if @devices.nil?
    raise 'unable to create incomplete program'
  end

  args = %W[
    -name #{@name}
    new
    #{path}
    allow
  ]

  @devices.each do |dev|
    args << "#{dev.type_s}:#{dev.major}:#{dev.minor}:#{dev.mode}"
  end

  run_devcgprog(*args)
end

#destroyObject 



54
55
56
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 54

def destroy
  File.unlink(path)
end

#detach(link) ⇒ Object

Detach program from cgroup

Parameters:



99
100
101
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 99

def detach(link)
  File.unlink(link.path)
end

#exist?Boolean

Check if the program is loaded within the kernel

Returns:

  • (Boolean) 


30
31
32
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 30

def exist?
  BpfFs.prog_pinned?(@name)
end

#replace(link, new_link) ⇒ Object

Atomically replace attached program with another program

Parameters:



83
84
85
86
87
88
89
90
91
92
93
94
95
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 83

def replace(link, new_link)
  if link.pool_name != new_link.pool_name
    raise ArgumentError,
          "link on pool #{link.pool_name} while new_link on pool #{new_link.pool_name}"
  end

  run_devcgprog(
    'replace',
    link.path,
    BpfFs.prog_pin_path(new_link.prog_name),
    new_link.path
  )
end

#run_devcgprog(*args) ⇒ Object (protected) 



105
106
107
108
109
110
111
112
113
114
115
116
117
 
# File 'lib/osctld/devices/v2/bpf_program.rb', line 105

def run_devcgprog(*args)
  cmd = ['devcgprog'] + args

  log(:info, cmd.join(' '))
  pid = Process.spawn(*cmd)
  Process.wait(pid)

  if $?.exitstatus != 0
    raise "#{cmd.join(' ')} failed with exit status #{$?.exitstatus}"
  end

  nil
end