[CRIU] [PATCH] cgroups: Rework "devices" controller properties restoration

Cyrill Gorcunov gorcunov at gmail.com
Mon Sep 12 08:54:26 PDT 2016


On Mon, Sep 12, 2016 at 08:59:32AM -0600, Tycho Andersen wrote:
> Hi Cyrill,
> 
> Sorry for the wait :)
> 
> On Thu, Sep 01, 2016 at 04:41:26PM +0300, Cyrill Gorcunov wrote:
> > Currently if there are several subcgroups in devices container
> > we're trying to deny any device by default first before we're
> > setting up allowed device from the image. That's is prohibited
> > by kernel because if the cgroup has an active parent noone can
> > add a rule to deny devices. The logic in kernel is simple: once
> > devices are denied from top level, all descendant cgroups are
> > automatically propagated with such limitation.
> > 
> > Thus what we need is to setup "deny" rule on toplevel cgroup.
> > Thus here is a proposal
> > 
> >  - in restore_special_props pass a level number so we won't try
> >    to deny devices on children which already have this rule
> >  - write global deny rule _iif_ it's a fresh cgroup created,
> >    if cgroup is already existing we assume the user already
> >    configured it
> 
> I think this is still wrong, because if we have the situation of:
> 
> /foo/devices.list: c *:* m
> /foo/bar/devices.list: c 1:3 m
> 
> this will restore it incorrectly; we need to write a deny rule, and
> then only allow 'c 1:3 m' in /foo/bar. If we don't write a deny, we'll
> end up with both 'c *:* m' and 'c 1:3 m':
> 
> root at hopstrocity:/sys/fs/cgroup/devices/foo# cat devices.list 
> c *:* m
> root at hopstrocity:/sys/fs/cgroup/devices/foo# mkdir bar
> root at hopstrocity:/sys/fs/cgroup/devices/foo# cd bar/
> root at hopstrocity:/sys/fs/cgroup/devices/foo/bar# echo a > devices.deny 
> root at hopstrocity:/sys/fs/cgroup/devices/foo/bar# echo 'c 1:3 m' > devices.allow 
> root at hopstrocity:/sys/fs/cgroup/devices/foo/bar# cat devices.list 
> c 1:3 m
> root at hopstrocity:/sys/fs/cgroup/devices/foo/bar# cd ..
> root at hopstrocity:/sys/fs/cgroup/devices/foo# rmdir bar
> root at hopstrocity:/sys/fs/cgroup/devices/foo# mkdir bar
> root at hopstrocity:/sys/fs/cgroup/devices/foo# cd bar/
> root at hopstrocity:/sys/fs/cgroup/devices/foo/bar# echo 'c 1:3 m' > devices.allow 
> root at hopstrocity:/sys/fs/cgroup/devices/foo/bar# cat devices.list 
> c *:* m
> c 1:3 m

OK, thanks! I'll try your patches and report the results ;)


More information about the CRIU mailing list