[Devel] [PATCH vz10] bpf: add mount access type to eBPF cgroup program
Aleksei Oladko
aleksey.oladko at virtuozzo.com
Wed Nov 19 19:50:48 MSK 2025
On 11/19/25 3:47 PM, Konstantin Khorenko wrote:
> On 11/7/25 16:36, Aleksei Oladko wrote:
>> This patch adds a mount access type to eBPF cgroup device type program
>> enabling the ability to specify whether a mount operation should be
>> allowed or denied.
>>
>> https://virtuozzo.atlassian.net/browse/VSTOR-117297
>>
>> Signed-off-by: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
>> ---
>> include/uapi/linux/bpf.h | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
>> index 4a939c90dc2e..7ea078290688 100644
>> --- a/include/uapi/linux/bpf.h
>> +++ b/include/uapi/linux/bpf.h
>> @@ -7114,7 +7114,9 @@ enum {
>> BPF_DEVCG_ACC_MKNOD = (1ULL << 0),
>> BPF_DEVCG_ACC_READ = (1ULL << 1),
>> BPF_DEVCG_ACC_WRITE = (1ULL << 2),
>> + BPF_DEVCG_ACC_MOUNT = (1ULL << 6),
>> };
>> +#define BPF_DEVCG_ACC_MOUNT BPF_DEVCG_ACC_MOUNT
>
> Can you please explain why do we need the "define" line?
This allows building a BPF program using
#ifndef BPF_DEVCG_ACC_MOUNT
and is used in libvzctl
>
>> enum {
>> BPF_DEVCG_DEV_BLOCK = (1ULL << 0),
>
More information about the Devel
mailing list