[Devel] [PATCH RH7 1/2] device_cgroup: fake allowing all devices for docker inside VZCT
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Oct 15 03:42:46 PDT 2015
Volodya, please review.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 10/13/2015 06:11 PM, Pavel Tikhomirov wrote:
> We need it for docker 1.7.+, please review.
>
> On 10/07/2015 11:51 AM, Pavel Tikhomirov wrote:
>> Docker from 1.7.0 tries to add "a" to devices.allow for newly created
>> privileged container device_cgroup, and thus to allow all devices in
>> docker container. Docker fails to do so because not all devices are
>> allowed in parent VZCT cgroup.
>>
>> To support docker we must allow writing "a" to devices.allow in CT.
>> With this patch if we get "a", we will silently exit without EPERM.
>>
>> https://jira.sw.ru/browse/PSBM-38691
>>
>> v2: fix bug link, fix comment stile
>> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
>> ---
>> security/device_cgroup.c | 9 ++++++++-
>> 1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
>> index 531e40c..9f932d7 100644
>> --- a/security/device_cgroup.c
>> +++ b/security/device_cgroup.c
>> @@ -689,7 +689,14 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
>> if (has_children(devcgroup))
>> return -EINVAL;
>>
>> - if (!may_allow_all(parent))
>> + if (!may_allow_all(parent)) {
>> + if (ve_is_super(get_exec_env()))
>> + return -EPERM;
>> + else
>> + /* Fooling docker in CT - silently exit */
>> + return 0;
>> + }
>> +
>> return -EPERM;
>> dev_exception_clean(devcgroup);
>> devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
>>
>
More information about the Devel
mailing list