96 lines
2.9 KiB
Diff
96 lines
2.9 KiB
Diff
From c3c41d192aadac058415238e1680dffbd5a74dc6 Mon Sep 17 00:00:00 2001
|
|
Message-Id: <c3c41d192aadac058415238e1680dffbd5a74dc6.1659958805.git.stefan@agner.ch>
|
|
In-Reply-To: <410089ea4bb8bf051a941febd087b0346b967a10.1659958805.git.stefan@agner.ch>
|
|
References: <410089ea4bb8bf051a941febd087b0346b967a10.1659958805.git.stefan@agner.ch>
|
|
From: Stefan Agner <stefan@agner.ch>
|
|
Date: Thu, 3 Mar 2022 14:55:53 +0100
|
|
Subject: [PATCH 02/11] Implement common function to create DeviceCgroup rules
|
|
|
|
Signed-off-by: Stefan Agner <stefan@agner.ch>
|
|
---
|
|
libcontainer/specconv/spec_linux.go | 52 ++++++++++++++++++++++++++---
|
|
1 file changed, 48 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
|
|
index 8bf0aa20..c5b32b1e 100644
|
|
--- a/libcontainer/specconv/spec_linux.go
|
|
+++ b/libcontainer/specconv/spec_linux.go
|
|
@@ -625,6 +625,48 @@ func initSystemdProps(spec *specs.Spec) ([]systemdDbus.Property, error) {
|
|
return sp, nil
|
|
}
|
|
|
|
+func CreateCgroupDeviceConfig(r *configs.Resources, specr *specs.LinuxResources, defaultDevs []*devices.Device) error {
|
|
+ if specr != nil {
|
|
+ for i, d := range specr.Devices {
|
|
+ var (
|
|
+ t = "a"
|
|
+ major = int64(-1)
|
|
+ minor = int64(-1)
|
|
+ )
|
|
+ if d.Type != "" {
|
|
+ t = d.Type
|
|
+ }
|
|
+ if d.Major != nil {
|
|
+ major = *d.Major
|
|
+ }
|
|
+ if d.Minor != nil {
|
|
+ minor = *d.Minor
|
|
+ }
|
|
+ if d.Access == "" {
|
|
+ return fmt.Errorf("device access at %d field cannot be empty", i)
|
|
+ }
|
|
+ dt, err := stringToCgroupDeviceRune(t)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+ r.Devices = append(r.Devices, &devices.Rule{
|
|
+ Type: dt,
|
|
+ Major: major,
|
|
+ Minor: minor,
|
|
+ Permissions: devices.Permissions(d.Access),
|
|
+ Allow: d.Allow,
|
|
+ })
|
|
+ }
|
|
+ }
|
|
+
|
|
+ // Append the default allowed devices to the end of the list.
|
|
+ for _, device := range defaultDevs {
|
|
+ r.Devices = append(r.Devices, &device.Rule)
|
|
+ }
|
|
+
|
|
+ return nil
|
|
+}
|
|
+
|
|
func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*configs.Cgroup, error) {
|
|
var (
|
|
myCgroupPath string
|
|
@@ -681,8 +723,9 @@ func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*confi
|
|
|
|
// In rootless containers, any attempt to make cgroup changes is likely to fail.
|
|
// libcontainer will validate this but ignores the error.
|
|
+ var r *specs.LinuxResources = nil
|
|
if spec.Linux != nil {
|
|
- r := spec.Linux.Resources
|
|
+ r = spec.Linux.Resources
|
|
if r != nil {
|
|
for i, d := range spec.Linux.Resources.Devices {
|
|
var (
|
|
@@ -844,10 +887,11 @@ func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*confi
|
|
}
|
|
}
|
|
|
|
- // Append the default allowed devices to the end of the list.
|
|
- for _, device := range defaultDevs {
|
|
- c.Resources.Devices = append(c.Resources.Devices, &device.Rule)
|
|
+ err := CreateCgroupDeviceConfig(c.Resources, r, defaultDevs)
|
|
+ if err != nil {
|
|
+ return nil, err
|
|
}
|
|
+
|
|
return c, nil
|
|
}
|
|
|
|
--
|
|
2.37.1
|
|
|