[Devel] [PATCH RHEL7 COMMIT] ve/device_cgroup: fake allowing all devices for docker inside VZCT

Konstantin Khorenko khorenko at virtuozzo.com
Tue Oct 20 04:44:20 PDT 2015


The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.8.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.8.8
------>
commit 855b8c1c6ed83b8e491d8534277f2441dd658aa9
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Tue Oct 20 15:44:20 2015 +0400

    ve/device_cgroup: fake allowing all devices for docker inside VZCT
    
    This is a port from pcs6, patch
    diff-device_cgroup-fake-allowing-all-devices-for-docker-inside-VZCT
    
    https://jira.sw.ru/browse/PSBM-34529
    
    ===========
    Docker from 1.7.0 tries to add "a" to devices.allow for newly created
    privileged container device_cgroup, and thus to allow all devices in
    docker container. Docker fails to do so because not all devices are
    allowed in parent VZ6CT cgroup.
    
    To support docker we must allow writing "a" to devices.allow in CT.
    With this patch if we get "a", we will silently exit without EPERM.
    
    https://jira.sw.ru/browse/PSBM-38691
    
    v2: fix bug link, fix comment stile
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 security/device_cgroup.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 531e40c..0a6d9c4 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -689,8 +689,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
 			if (has_children(devcgroup))
 				return -EINVAL;
 
-			if (!may_allow_all(parent))
-				return -EPERM;
+			if (!may_allow_all(parent)) {
+				if (ve_is_super(get_exec_env()))
+					return -EPERM;
+				else
+					/* Fooling docker in CT - silently exit */
+					return 0;
+			}
 			dev_exception_clean(devcgroup);
 			devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
 			if (!parent)



More information about the Devel mailing list