[Devel] [PATCH RH7 1/2] device_cgroup: fake allowing all devices for docker inside VZCT
Pavel Tikhomirov
ptikhomirov at odin.com
Tue Oct 13 08:11:20 PDT 2015
We need it for docker 1.7.+, please review.
On 10/07/2015 11:51 AM, Pavel Tikhomirov wrote:
> Docker from 1.7.0 tries to add "a" to devices.allow for newly created
> privileged container device_cgroup, and thus to allow all devices in
> docker container. Docker fails to do so because not all devices are
> allowed in parent VZCT cgroup.
>
> To support docker we must allow writing "a" to devices.allow in CT.
> With this patch if we get "a", we will silently exit without EPERM.
>
> https://jira.sw.ru/browse/PSBM-38691
>
> v2: fix bug link, fix comment stile
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
> security/device_cgroup.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 531e40c..9f932d7 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -689,7 +689,14 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
> if (has_children(devcgroup))
> return -EINVAL;
>
> - if (!may_allow_all(parent))
> + if (!may_allow_all(parent)) {
> + if (ve_is_super(get_exec_env()))
> + return -EPERM;
> + else
> + /* Fooling docker in CT - silently exit */
> + return 0;
> + }
> +
> return -EPERM;
> dev_exception_clean(devcgroup);
> devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
>
--
Best regards, Tikhomirov Pavel
Software Developer, Odin.
More information about the Devel
mailing list