[Devel] [PATCH VZ10 v3 0/2] ve/bpf: Allow BPF_CGROUP_DEVICE in ve
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Thu Apr 9 15:47:05 MSK 2026
We need this for Docker, as after switch of containers to cgroup-v2,
docker started to use bpf device cgroup programs to control access to
devices for nested containers.
The first patch adds the feature and the second pathch adds selftests.
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
https://virtuozzo.atlassian.net/browse/VSTOR-126504
--
v2: Add selftests and avoid exposing host bpf programs via
bpf_prog_query().
v3: Report bad cgroup fd with EBADF, fix test compilation by defining
everything localy and add test to global Makefile.
Pavel Tikhomirov (2):
ve/bpf: Add VE_FEATURE_BPF to allow bpf device cgroup programs per VE
selftests/ve_devcg_bpf: add tests for VE_FEATURE_BPF
include/uapi/linux/vzcalluser.h | 1 +
kernel/bpf/syscall.c | 91 ++-
tools/testing/selftests/Makefile | 1 +
.../testing/selftests/ve_devcg_bpf/.gitignore | 1 +
tools/testing/selftests/ve_devcg_bpf/Makefile | 7 +
.../ve_devcg_bpf/ve_devcg_bpf_test.c | 639 ++++++++++++++++++
6 files changed, 731 insertions(+), 9 deletions(-)
create mode 100644 tools/testing/selftests/ve_devcg_bpf/.gitignore
create mode 100644 tools/testing/selftests/ve_devcg_bpf/Makefile
create mode 100644 tools/testing/selftests/ve_devcg_bpf/ve_devcg_bpf_test.c
--
2.53.0
More information about the Devel
mailing list