buildroot/package/runc/0002-Implement-common-funct...

96 lines
2.9 KiB
Diff

From c3c41d192aadac058415238e1680dffbd5a74dc6 Mon Sep 17 00:00:00 2001
Message-Id: <c3c41d192aadac058415238e1680dffbd5a74dc6.1659958805.git.stefan@agner.ch>
In-Reply-To: <410089ea4bb8bf051a941febd087b0346b967a10.1659958805.git.stefan@agner.ch>
References: <410089ea4bb8bf051a941febd087b0346b967a10.1659958805.git.stefan@agner.ch>
From: Stefan Agner <stefan@agner.ch>
Date: Thu, 3 Mar 2022 14:55:53 +0100
Subject: [PATCH 02/11] Implement common function to create DeviceCgroup rules
Signed-off-by: Stefan Agner <stefan@agner.ch>
---
libcontainer/specconv/spec_linux.go | 52 ++++++++++++++++++++++++++---
1 file changed, 48 insertions(+), 4 deletions(-)
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 8bf0aa20..c5b32b1e 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -625,6 +625,48 @@ func initSystemdProps(spec *specs.Spec) ([]systemdDbus.Property, error) {
return sp, nil
}
+func CreateCgroupDeviceConfig(r *configs.Resources, specr *specs.LinuxResources, defaultDevs []*devices.Device) error {
+ if specr != nil {
+ for i, d := range specr.Devices {
+ var (
+ t = "a"
+ major = int64(-1)
+ minor = int64(-1)
+ )
+ if d.Type != "" {
+ t = d.Type
+ }
+ if d.Major != nil {
+ major = *d.Major
+ }
+ if d.Minor != nil {
+ minor = *d.Minor
+ }
+ if d.Access == "" {
+ return fmt.Errorf("device access at %d field cannot be empty", i)
+ }
+ dt, err := stringToCgroupDeviceRune(t)
+ if err != nil {
+ return err
+ }
+ r.Devices = append(r.Devices, &devices.Rule{
+ Type: dt,
+ Major: major,
+ Minor: minor,
+ Permissions: devices.Permissions(d.Access),
+ Allow: d.Allow,
+ })
+ }
+ }
+
+ // Append the default allowed devices to the end of the list.
+ for _, device := range defaultDevs {
+ r.Devices = append(r.Devices, &device.Rule)
+ }
+
+ return nil
+}
+
func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*configs.Cgroup, error) {
var (
myCgroupPath string
@@ -681,8 +723,9 @@ func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*confi
// In rootless containers, any attempt to make cgroup changes is likely to fail.
// libcontainer will validate this but ignores the error.
+ var r *specs.LinuxResources = nil
if spec.Linux != nil {
- r := spec.Linux.Resources
+ r = spec.Linux.Resources
if r != nil {
for i, d := range spec.Linux.Resources.Devices {
var (
@@ -844,10 +887,11 @@ func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*confi
}
}
- // Append the default allowed devices to the end of the list.
- for _, device := range defaultDevs {
- c.Resources.Devices = append(c.Resources.Devices, &device.Rule)
+ err := CreateCgroupDeviceConfig(c.Resources, r, defaultDevs)
+ if err != nil {
+ return nil, err
}
+
return c, nil
}
--
2.37.1