[CRIU] [PATCH 4/5] cgroups: add support for c/r of the devices cgroup

Tycho Andersen tycho.andersen at canonical.com
Mon Jun 6 10:48:27 PDT 2016 

On Mon, Jun 06, 2016 at 07:54:30PM +0300, Cyrill Gorcunov wrote:
> On Mon, Jun 06, 2016 at 03:20:16PM +0000, Tycho Andersen wrote:
> > This one is a little big ugly, see comments for details. At some point we
> > should invent a better way to do these special cases, since we have them
> > for freezer, cpuset, and now devices. Perhaps something like fstype, where
> > you can ask the cgroup how to restore itself.
> > 
> > Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
> > CC: Cyrill Gorcunov <gorcunov at openvz.org>
> ...
> > @@ -1253,6 +1253,46 @@ static int prepare_cgroup_dir_properties(char *path, int off, CgroupDirEntry **e
> >  				if (special)
> >  					continue;
> >  
> > +				/* The devices cgroup must be restored in a
> > +				 * special way: only the contents of
> > +				 * devices.list can be read, and it is a
> > +				 * whitelist of all the devices the cgroup is
> > +				 * allowed to create. To re-creat this
> > +				 * whitelist, we first deny everything via
> > +				 * devices.deny, and then write the list back
> > +				 * into devices.allow.
> > +				 */
> > +				if (!strcmp(e->properties[j]->name, "devices.list")) {
> > +					CgroupPropEntry *pe = e->properties[j];
> > +					char *old_val = pe->value, *old_name = pe->name;
> > +					int ret;
> > +
> > +					/* A bit of a fudge here. These are
> > +					 * write only by owner by default, but
> > +					 * the container engine could have
> > +					 * changed the perms. We should come up
> > +					 * with a better way to restore all of
> > +					 * this stuff.
> > +					 */
> > +					pe->perms->mode = 0200;
> > +
> > +					pe->name = "devices.deny";
> > +					pe->value = "a";
> > +					ret = restore_cgroup_prop(e->properties[j], path, off2);
> > +					pe->name = old_name;
> > +					pe->name = old_val;
> 
> IIRC, choosing device.allow or device.deny depends
> on default stragegy. If it's "allow", then list
> represent those which are not permitted to use
> and reverse, no?

devices.list is always a whitelist, and adding something to
device.deny just removes it from devices.list (and from child cgroups'
whitelists as well):

root at smitten:/sys/fs/cgroup/devices/A# cat devices.list 
root at smitten:/sys/fs/cgroup/devices/A# echo "c 195:1 rw" > devices.allow 
root at smitten:/sys/fs/cgroup/devices/A# cat devices.list 
c 195:1 rw
root at smitten:/sys/fs/cgroup/devices/A# echo "c 195:1 rw" > devices.deny 
root at smitten:/sys/fs/cgroup/devices/A# cat devices.list 
root at smitten:/sys/fs/cgroup/devices/A# 

Tycho

More information about the CRIU mailing list