[Devel] [PATCH VZ10 v2 0/2] ve/bpf: Allow BPF_CGROUP_DEVICE in ve
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Fri Mar 27 19:51:21 MSK 2026
We need this for Docker, as after switch of containers to cgroup-v2,
docker started to use bpf device cgroup programs to control access to
devices for nested containers.
The first patch adds the feature and the second pathch adds selftests.
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
https://virtuozzo.atlassian.net/browse/VSTOR-126504
--
v2: Add selftests and avoid exposing host bpf programs via
bpf_prog_query().
Pavel Tikhomirov (2):
ve/bpf: Add VE_FEATURE_BPF to allow bpf device cgroup programs per VE
selftests/ve_devcg_bpf: add tests for VE_FEATURE_BPF
include/uapi/linux/vzcalluser.h | 1 +
kernel/bpf/syscall.c | 77 ++-
.../testing/selftests/ve_devcg_bpf/.gitignore | 1 +
tools/testing/selftests/ve_devcg_bpf/Makefile | 7 +
.../ve_devcg_bpf/ve_devcg_bpf_test.c | 610 ++++++++++++++++++
5 files changed, 688 insertions(+), 8 deletions(-)
create mode 100644 tools/testing/selftests/ve_devcg_bpf/.gitignore
create mode 100644 tools/testing/selftests/ve_devcg_bpf/Makefile
create mode 100644 tools/testing/selftests/ve_devcg_bpf/ve_devcg_bpf_test.c
--
2.53.0
More information about the Devel
mailing list