[Devel] [PATCH RH7 1/2] device_cgroup: fake allowing all devices for docker inside VZCT

[Pavel Tikhomirov]

Docker from 1.7.0 tries to add "a" to devices.allow for newly created
privileged container device_cgroup, and thus to allow all devices in
docker container. Docker fails to do so because not all devices are
allowed in parent VZCT cgroup.

To support docker we must allow writing "a" to devices.allow in CT.
With this patch if we get "a", we will silently exit without EPERM.

https://jira.sw.ru/browse/PSBM-38691

v2: fix bug link, fix comment stile
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 security/device_cgroup.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 531e40c..9f932d7 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -689,7 +689,14 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
 			if (has_children(devcgroup))
 				return -EINVAL;
 
-			if (!may_allow_all(parent))
+			if (!may_allow_all(parent)) {
+				if (ve_is_super(get_exec_env()))
+					return -EPERM;
+				else
+					/* Fooling docker in CT - silently exit */
+					return 0;
+			}
+
 				return -EPERM;
 			dev_exception_clean(devcgroup);
 			devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
-- 
1.9.3