[Devel] [PATCH RHEL9 COMMIT] ve/device_cgroup: Show all devices allowed in ct to fool docker

Konstantin Khorenko khorenko at virtuozzo.com
Wed Oct 20 11:39:30 MSK 2021


The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.12
------>
commit 5f595f2018acd423666b40bc405db90954557b69
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Wed Oct 20 11:39:30 2021 +0300

    ve/device_cgroup: Show all devices allowed in ct to fool docker
    
    We've seen that docker 20+ not only writes "a *:* rwm" to privileged
    docker container device-cgroup (as pre-19 version did) but also checks
    the content after write, and docker expects that all devices are allowed
    for privileged docker container.
    
    In our VZCT we obviously can't afford to actually allow all devices
    because root device cgroup of VZCT should restrict which devices are
    allowed to be read/modified/mknod in VZCT and which are not, and all
    nested cgroup inherit this. Before the patch reading devices list in
    VZCT one would see a whitelist there each allowed device is present:
    
      CT-101 /# cat /sys/fs/cgroup/devices/test/devices.list
      ...
      c 1:11 rwm
      c 10:200 rwm
      c 10:235 rwm
      c 10:229 rwm
      b 182:177568 rm
      b 182:177569 rm
    
    Docker expects to see "a *:* rwm" as if docker is on bare host and
    nobody touched device cgroup before that.
    
    As a solution we can just show docker what he wants. The idea is to
    detect if the content of the whitelist of the device cgroup to be
    shown is equal to the content of the whitelist of the root device cgroup
    of the VZCT, then always show "a *:* rwm".
    
      CT-101 /# cat /sys/fs/cgroup/devices/test/devices.list
      a *:* rwm
    
    If one changes the whitelist (even reorder) this cgroup would show a
    full list of all allowed devices as before.
    
    This change of the output looks consistent enough: when you see
    "a *:* rwm" in your cgroup it means that all devices of your VZCT are
    available for you.
    
    Only difference to mainstream behaviour is when you prohibit some device
    via devices.deny you get not a blacklist but an inverse whitelist.
    
    Related task - a CRIU/vzctl task for devices cgroup migration support:
    https://jira.sw.ru/browse/PSBM-123668
    
    https://jira.sw.ru/browse/PSBM-123630
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    vz8 rebase:
     - introduced css_get_local_root() similar to cgroup_get_local_root()
    
    (cherry picked from vz7 commit a6dba9fbee35 ("ve/device_cgroup: show all
    devices allowed in ct to fool docker"))
    In the scope of
    https://jira.sw.ru/browse/PSBM-123743
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    +++
    kernel/cgroup: rename css_get_local_root
    
    css functions with _get_ wording usually take reference counters.
    Rename to css_local_root() to comply. Change all uses accordingly.
    
    https://jira.sw.ru/browse/PSBM-131253
    
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
    
    Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
    
    Ported vz8 commit e06581026a84 ("ve/device_cgroup: Show all devices
    allowed in ct to fool docker")).
    
    Use css_ve_root1().
    
    Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 security/device_cgroup.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 448c5bef0996..3ccec8dda4d6 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -270,12 +270,44 @@ static void set_majmin(char *str, unsigned m)
 		sprintf(str, "%u", m);
 }
 
+struct dev_exception_item *dev_exeption_next(struct list_head *head)
+{
+	return list_entry_rcu(head->next, struct dev_exception_item, list);
+}
+
+static bool devcgroup_exceptions_equal(struct dev_cgroup *first_cgrp,
+		struct dev_cgroup *second_cgrp)
+{
+	struct list_head *first = &first_cgrp->exceptions,
+			 *second = &second_cgrp->exceptions;
+	struct dev_exception_item *exf, *exs;
+
+	for (exf = dev_exeption_next(first->next),
+	     exs = dev_exeption_next(second->next);
+	     &exf->list != first && &exs->list != second;
+	     exf = dev_exeption_next(exf->list.next),
+	     exs = dev_exeption_next(exs->list.next)) {
+		/* Check that exceptions are equal */
+		if (exf->type != exs->type ||
+		    exf->major != exs->major ||
+		    exf->minor != exs->minor ||
+		    exf->access != exs->access)
+			return false;
+	}
+
+	if (&exf->list != first || &exs->list != second)
+		return false;
+
+	return true;
+}
+
 static int devcgroup_seq_show(struct seq_file *m, void *v)
 {
 	struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m));
 	struct dev_exception_item *ex;
 	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
 	short type, mask;
+	struct dev_cgroup *root_cgrp;
 
 	type = (short)seq_cft(m)->private;
 	mask = (type == DEVCG_EXTRA_LIST) ?
@@ -289,12 +321,24 @@ static int devcgroup_seq_show(struct seq_file *m, void *v)
 	 * This way, the file remains as a "whitelist of devices"
 	 */
 	if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
+allow_all:
 		set_access(acc, mask);
 		set_majmin(maj, ~0);
 		set_majmin(min, ~0);
 		seq_printf(m, "%c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL),
 			   maj, min, acc);
 	} else {
+		/*
+		 * Fooling docker in CT again: if exceptions in ve are the same
+		 * as in ve root cgroup - show as if we allow everyting
+		 */
+		if (!ve_is_super(get_exec_env())) {
+			root_cgrp = css_to_devcgroup(css_ve_root1(seq_css(m)));
+			if (root_cgrp &&
+			    devcgroup_exceptions_equal(devcgroup, root_cgrp))
+				goto allow_all;
+		}
+
 		list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
 			set_access(acc, ex->access & mask);
 			set_majmin(maj, ex->major);


More information about the Devel mailing list