[Devel] [PATCH RH7 1/2] device_cgroup: fake allowing all devices for docker inside VZCT
Pavel Tikhomirov
ptikhomirov at odin.com
Thu Oct 15 03:47:15 PDT 2015
Here is the right link for RH7: https://jira.sw.ru/browse/PSBM-34529
Patch actually is a port from RH6.
On 10/15/2015 01:42 PM, Konstantin Khorenko wrote:
> Volodya, please review.
>
> --
> Best regards,
>
> Konstantin Khorenko,
> Virtuozzo Linux Kernel Team
>
> On 10/13/2015 06:11 PM, Pavel Tikhomirov wrote:
>> We need it for docker 1.7.+, please review.
>>
>> On 10/07/2015 11:51 AM, Pavel Tikhomirov wrote:
>>> Docker from 1.7.0 tries to add "a" to devices.allow for newly created
>>> privileged container device_cgroup, and thus to allow all devices in
>>> docker container. Docker fails to do so because not all devices are
>>> allowed in parent VZCT cgroup.
>>>
>>> To support docker we must allow writing "a" to devices.allow in CT.
>>> With this patch if we get "a", we will silently exit without EPERM.
>>>
>>> https://jira.sw.ru/browse/PSBM-38691
>>>
>>> v2: fix bug link, fix comment stile
>>> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
>>> ---
>>> security/device_cgroup.c | 9 ++++++++-
>>> 1 file changed, 8 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
>>> index 531e40c..9f932d7 100644
>>> --- a/security/device_cgroup.c
>>> +++ b/security/device_cgroup.c
>>> @@ -689,7 +689,14 @@ static int devcgroup_update_access(struct
>>> dev_cgroup *devcgroup,
>>> if (has_children(devcgroup))
>>> return -EINVAL;
>>>
>>> - if (!may_allow_all(parent))
>>> + if (!may_allow_all(parent)) {
>>> + if (ve_is_super(get_exec_env()))
>>> + return -EPERM;
>>> + else
>>> + /* Fooling docker in CT - silently exit */
>>> + return 0;
>>> + }
>>> +
>>> return -EPERM;
>>> dev_exception_clean(devcgroup);
>>> devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
>>>
>>
--
Best regards, Tikhomirov Pavel
Software Developer, Odin.
More information about the Devel
mailing list