github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/hugepages_control.go

github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/hugepages_control.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2020 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  // https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt
    23  // https://www.kernel.org/doc/Documentation/vm/transhuge.txt
    24  // This interface assumes that huge pages are mounted at either:
    25  // - /dev/hugepages (Debian, Ubuntu)
    26  // - /run/hugepages (various documentation)
    27  const hugepagesControlSummary = `allows controlling hugepages`
    28  
    29  const hugepagesControlBaseDeclarationSlots = `
    30    hugepages-control:
    31      allow-installation:
    32        slot-snap-type:
    33          - core
    34      deny-auto-connection: true
    35  `
    36  
    37  const hugepagesControlConnectedPlugAppArmor = `
    38  # Allow configuring huge pages via /sys or /proc
    39  /sys/kernel/mm/hugepages/{,hugepages-[0-9]*}/* r,
    40  /sys/kernel/mm/hugepages/{,hugepages-[0-9]*}/nr_{hugepages,hugepages_mempolicy,overcommit_hugepages} w,
    41  /sys/devices/system/node/node[0-9]*/hugepages/{,hugepages-[0-9]*}/* r,
    42  /sys/devices/system/node/node[0-9]*/hugepages/{,hugepages-[0-9]*}/nr_hugepages w,
    43  @{PROC}/sys/vm/nr_{hugepages,hugepages_mempolicy,overcommit_hugepages} rw,
    44  
    45  # Observe which group can create shm segments using hugetlb pages
    46  @{PROC}/sys/vm/hugetlb_shm_group r,
    47  
    48  # Observe allocated huge pages by node (@{PROC}/meminfo already in base abstraction)
    49  /sys/devices/system/node/node[0-9]*/meminfo r,
    50  
    51  # hugepages may be controlled via chown/chgrp/chmod. Enforce this with
    52  # owner match
    53  /{dev,run}/hugepages/ r,
    54  owner /{dev,run}/hugepages/{,**} rwk,
    55  
    56  # Allow configuring transparent huge pages
    57  /sys/kernel/mm/transparent_hugepage/{,**} r,
    58  /sys/kernel/mm/transparent_hugepage/defrag w,
    59  /sys/kernel/mm/transparent_hugepage/{,shmem_}enabled w,
    60  /sys/kernel/mm/transparent_hugepage/use_zero_page w,
    61  /sys/kernel/mm/transparent_hugepage/khugepaged/{alloc,scan}_sleep_millisecs w,
    62  /sys/kernel/mm/transparent_hugepage/khugepaged/defrag w,
    63  /sys/kernel/mm/transparent_hugepage/khugepaged/max_ptes_{none,swap} w,
    64  /sys/kernel/mm/transparent_hugepage/khugepaged/pages_to_scan w,
    65  `
    66  
    67  func init() {
    68  	registerIface(&commonInterface{
    69  		name:                  "hugepages-control",
    70  		summary:               hugepagesControlSummary,
    71  		implicitOnCore:        true,
    72  		implicitOnClassic:     true,
    73  		baseDeclarationSlots:  hugepagesControlBaseDeclarationSlots,
    74  		connectedPlugAppArmor: hugepagesControlConnectedPlugAppArmor,
    75  	})
    76  }