[Devel] [vzlin-dev] [PATCH RH7 v2] Port rh6: diff-device_cgroup-fake-allowing-all-devices-for-docker-inside-VZCT

[Pavel Tikhomirov]

sorry, missed the right list

On 10/16/2015 11:35 AM, Pavel Tikhomirov wrote:
> https://jira.sw.ru/browse/PSBM-34529
>
> v2: fix lost EPERM, clarify it is port from rh6
>
> Port RH6 patch:
> Author: Pavel Tikhomirov
> Email: ptikhomirov at virtuozzo.com
> Subject: device_cgroup: fake allowing all devices for docker inside VZCT
> Date: Tue, 25 Aug 2015 10:04:43 +0300
>
> Docker from 1.7.0 tries to add "a" to devices.allow for newly created
> privileged container device_cgroup, and thus to allow all devices in
> docker container. Docker fails to do so because not all devices are
> allowed in parent VZ6CT cgroup.
>
> To support docker we must allow writing "a" to devices.allow in CT.
> With this patch if we get "a", we will silently exit without EPERM.
>
> https://jira.sw.ru/browse/PSBM-38691
>
> v2: fix bug link, fix comment stile
>
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
>   security/device_cgroup.c | 9 +++++++--
>   1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 531e40c..0a6d9c4 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -689,8 +689,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
>   			if (has_children(devcgroup))
>   				return -EINVAL;
>
> -			if (!may_allow_all(parent))
> -				return -EPERM;
> +			if (!may_allow_all(parent)) {
> +				if (ve_is_super(get_exec_env()))
> +					return -EPERM;
> +				else
> +					/* Fooling docker in CT - silently exit */
> +					return 0;
> +			}
>   			dev_exception_clean(devcgroup);
>   			devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
>   			if (!parent)
>

-- 
Best regards, Tikhomirov Pavel
Software Developer, Odin.