[Devel] [PATCH RHEL COMMIT] ve/device_cgroup: fake allowing all devices for docker inside VZCT

Konstantin Khorenko khorenko at virtuozzo.com
Wed Sep 22 14:50:58 MSK 2021


The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit ebae37d307fb3451699e1950a9afe1004b518aa3
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Wed Sep 22 14:50:58 2021 +0300

    ve/device_cgroup: fake allowing all devices for docker inside VZCT
    
    Docker from 1.7.0 tries to add "a" to devices.allow for newly created
    privileged container device_cgroup, and thus to allow all devices in
    docker container. Docker fails to do so because not all devices are
    allowed in parent VZ6CT cgroup.
    
    To support docker we must allow writing "a" to devices.allow in CT.
    With this patch if we get "a", we will silently exit without EPERM.
    
    https://jira.sw.ru/browse/PSBM-38691
    https://jira.sw.ru/browse/PSBM-34529
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    (cherry-picked from vz8 commit 40a66b4a7eb511d2800f989bea9eed2563bc1f05)
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 security/device_cgroup.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 3591e7144df4..bd1bf41b4a0d 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -618,8 +618,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
 			if (css_has_online_children(&devcgroup->css))
 				return -EINVAL;
 
-			if (!may_allow_all(parent))
-				return -EPERM;
+			if (!may_allow_all(parent)) {
+				if (ve_is_super(get_exec_env()))
+					return -EPERM;
+				else
+					/* Fooling docker in CT - silently exit */
+					return 0;
+			}
 			dev_exception_clean(devcgroup);
 			devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
 			if (!parent)


More information about the Devel mailing list