[Devel] [PATCH vz9 10/20] ve/device_cgroup: Show all devices allowed in ct to fool docker

Nikita Yushchenko nikita.yushchenko at virtuozzo.com
Wed Oct 13 18:26:21 MSK 2021 

From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

We've seen that docker 20+ not only writes "a *:* rwm" to privileged
docker container device-cgroup (as pre-19 version did) but also checks
the content after write, and docker expects that all devices are allowed
for privileged docker container.

In our VZCT we obviously can't afford to actually allow all devices
because root device cgroup of VZCT should restrict which devices are
allowed to be read/modified/mknod in VZCT and which are not, and all
nested cgroup inherit this. Before the patch reading devices list in
VZCT one would see a whitelist there each allowed device is present:

  CT-101 /# cat /sys/fs/cgroup/devices/test/devices.list
  ...
  c 1:11 rwm
  c 10:200 rwm
  c 10:235 rwm
  c 10:229 rwm
  b 182:177568 rm
  b 182:177569 rm

Docker expects to see "a *:* rwm" as if docker is on bare host and
nobody touched device cgroup before that.

As a solution we can just show docker what he wants. The idea is to
detect if the content of the whitelist of the device cgroup to be
shown is equal to the content of the whitelist of the root device cgroup
of the VZCT, then always show "a *:* rwm".

  CT-101 /# cat /sys/fs/cgroup/devices/test/devices.list
  a *:* rwm

If one changes the whitelist (even reorder) this cgroup would show a
full list of all allowed devices as before.

This change of the output looks consistent enough: when you see
"a *:* rwm" in your cgroup it means that all devices of your VZCT are
available for you.

Only difference to mainstream behaviour is when you prohibit some device
via devices.deny you get not a blacklist but an inverse whitelist.

Related task - a CRIU/vzctl task for devices cgroup migration support:
https://jira.sw.ru/browse/PSBM-123668

https://jira.sw.ru/browse/PSBM-123630

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

vz8 rebase:
 - introduced css_get_local_root() similar to cgroup_get_local_root()

(cherry picked from vz7 commit a6dba9fbee35 ("ve/device_cgroup: show all
devices allowed in ct to fool docker"))
In the scope of
https://jira.sw.ru/browse/PSBM-123743

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

+++
kernel/cgroup: rename css_get_local_root

css functions with _get_ wording usually take reference counters.
Rename to css_local_root() to comply. Change all uses accordingly.

https://jira.sw.ru/browse/PSBM-131253

Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>

Ported vz8 commit e06581026a84 ("ve/device_cgroup: Show all devices
allowed in ct to fool docker")).

Use css_ve_root1().

Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 security/device_cgroup.c | 44 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 448c5bef0996..3ccec8dda4d6 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -270,12 +270,44 @@ static void set_majmin(char *str, unsigned m)
 		sprintf(str, "%u", m);
 }
 
+struct dev_exception_item *dev_exeption_next(struct list_head *head)
+{
+	return list_entry_rcu(head->next, struct dev_exception_item, list);
+}
+
+static bool devcgroup_exceptions_equal(struct dev_cgroup *first_cgrp,
+		struct dev_cgroup *second_cgrp)
+{
+	struct list_head *first = &first_cgrp->exceptions,
+			 *second = &second_cgrp->exceptions;
+	struct dev_exception_item *exf, *exs;
+
+	for (exf = dev_exeption_next(first->next),
+	     exs = dev_exeption_next(second->next);
+	     &exf->list != first && &exs->list != second;
+	     exf = dev_exeption_next(exf->list.next),
+	     exs = dev_exeption_next(exs->list.next)) {
+		/* Check that exceptions are equal */
+		if (exf->type != exs->type ||
+		    exf->major != exs->major ||
+		    exf->minor != exs->minor ||
+		    exf->access != exs->access)
+			return false;
+	}
+
+	if (&exf->list != first || &exs->list != second)
+		return false;
+
+	return true;
+}
+
 static int devcgroup_seq_show(struct seq_file *m, void *v)
 {
 	struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m));
 	struct dev_exception_item *ex;
 	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
 	short type, mask;
+	struct dev_cgroup *root_cgrp;
 
 	type = (short)seq_cft(m)->private;
 	mask = (type == DEVCG_EXTRA_LIST) ?
@@ -289,12 +321,24 @@ static int devcgroup_seq_show(struct seq_file *m, void *v)
 	 * This way, the file remains as a "whitelist of devices"
 	 */
 	if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
+allow_all:
 		set_access(acc, mask);
 		set_majmin(maj, ~0);
 		set_majmin(min, ~0);
 		seq_printf(m, "%c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL),
 			   maj, min, acc);
 	} else {
+		/*
+		 * Fooling docker in CT again: if exceptions in ve are the same
+		 * as in ve root cgroup - show as if we allow everyting
+		 */
+		if (!ve_is_super(get_exec_env())) {
+			root_cgrp = css_to_devcgroup(css_ve_root1(seq_css(m)));
+			if (root_cgrp &&
+			    devcgroup_exceptions_equal(devcgroup, root_cgrp))
+				goto allow_all;
+		}
+
 		list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
 			set_access(acc, ex->access & mask);
 			set_majmin(maj, ex->major);
-- 
2.30.2

More information about the Devel mailing list