[Devel] [PATCH RH7 1/2] device_cgroup: fake allowing all devices for docker inside VZCT

Pavel Tikhomirov ptikhomirov at odin.com
Thu Oct 15 03:47:15 PDT 2015


Here is the right link for RH7: https://jira.sw.ru/browse/PSBM-34529

Patch actually is a port from RH6.

On 10/15/2015 01:42 PM, Konstantin Khorenko wrote:
> Volodya, please review.
>
> --
> Best regards,
>
> Konstantin Khorenko,
> Virtuozzo Linux Kernel Team
>
> On 10/13/2015 06:11 PM, Pavel Tikhomirov wrote:
>> We need it for docker 1.7.+, please review.
>>
>> On 10/07/2015 11:51 AM, Pavel Tikhomirov wrote:
>>> Docker from 1.7.0 tries to add "a" to devices.allow for newly created
>>> privileged container device_cgroup, and thus to allow all devices in
>>> docker container. Docker fails to do so because not all devices are
>>> allowed in parent VZCT cgroup.
>>>
>>> To support docker we must allow writing "a" to devices.allow in CT.
>>> With this patch if we get "a", we will silently exit without EPERM.
>>>
>>> https://jira.sw.ru/browse/PSBM-38691
>>>
>>> v2: fix bug link, fix comment stile
>>> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
>>> ---
>>>    security/device_cgroup.c | 9 ++++++++-
>>>    1 file changed, 8 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
>>> index 531e40c..9f932d7 100644
>>> --- a/security/device_cgroup.c
>>> +++ b/security/device_cgroup.c
>>> @@ -689,7 +689,14 @@ static int devcgroup_update_access(struct
>>> dev_cgroup *devcgroup,
>>>                if (has_children(devcgroup))
>>>                    return -EINVAL;
>>>
>>> -            if (!may_allow_all(parent))
>>> +            if (!may_allow_all(parent)) {
>>> +                if (ve_is_super(get_exec_env()))
>>> +                    return -EPERM;
>>> +                else
>>> +                    /* Fooling docker in CT - silently exit */
>>> +                    return 0;
>>> +            }
>>> +
>>>                    return -EPERM;
>>>                dev_exception_clean(devcgroup);
>>>                devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
>>>
>>

-- 
Best regards, Tikhomirov Pavel
Software Developer, Odin.



More information about the Devel mailing list