[Devel] [PATCH RH7 1/2] device_cgroup: fake allowing all devices for docker inside VZCT
Pavel Tikhomirov
ptikhomirov at odin.com
Fri Oct 16 01:37:21 PDT 2015
On 10/16/2015 11:06 AM, Vladimir Davydov wrote:
> On Wed, Oct 07, 2015 at 11:51:06AM +0300, Pavel Tikhomirov wrote:
>> Docker from 1.7.0 tries to add "a" to devices.allow for newly created
>> privileged container device_cgroup, and thus to allow all devices in
>> docker container. Docker fails to do so because not all devices are
>> allowed in parent VZCT cgroup.
>>
>> To support docker we must allow writing "a" to devices.allow in CT.
>> With this patch if we get "a", we will silently exit without EPERM.
>>
>> https://jira.sw.ru/browse/PSBM-38691
>
> It is worth mentioning that this patch is a port of PCS6 commit
> diff-device_cgroup-fake-allowing-all-devices-for-docker-inside-VZCT
I resent it.
>
>>
>> v2: fix bug link, fix comment stile
>> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
>> ---
>> security/device_cgroup.c | 9 ++++++++-
>> 1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
>> index 531e40c..9f932d7 100644
>> --- a/security/device_cgroup.c
>> +++ b/security/device_cgroup.c
>> @@ -689,7 +689,14 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
>> if (has_children(devcgroup))
>> return -EINVAL;
>>
>> - if (!may_allow_all(parent))
>> + if (!may_allow_all(parent)) {
>> + if (ve_is_super(get_exec_env()))
>> + return -EPERM;
>> + else
>> + /* Fooling docker in CT - silently exit */
>> + return 0;
>> + }
>> +
>
>> return -EPERM;
>
> You seem to have forgotten to remove this line.
Sorry, fixed it.
>
>> dev_exception_clean(devcgroup);
>> devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
--
Best regards, Tikhomirov Pavel
Software Developer, Odin.
More information about the Devel
mailing list