github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-30 04:34:27 +00:00
Code Issues Projects Releases Wiki Activity

sandbox: Add device permissions such as /dev/null to cgroup

Browse Source 
adds the default devices for unix such as /dev/null, /dev/urandom to
the container's resource cgroup spec

Fixes: #2539

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
This commit is contained in:
Binbin Zhang 2021-09-09 15:12:16 +08:00
parent 9bbaa66f39
commit 71f915c63f
1 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/runtime/virtcontainers/sandbox.go
View File

@ -65,6 +65,7 @@ const (
DirMode = os.FileMode(0750) | os.ModeDir DirMode = os.FileMode(0750) | os.ModeDir
mkswapPath = "/sbin/mkswap" mkswapPath = "/sbin/mkswap"
rwm = "rwm"
) )
var ( var (
@ -580,6 +581,34 @@ func (s *Sandbox) createCgroupManager() error {
if spec.Linux.Resources != nil { if spec.Linux.Resources != nil {
resources.Devices = spec.Linux.Resources.Devices resources.Devices = spec.Linux.Resources.Devices
// spec.Linux.Resources.Devices default only contain {"devices":[{"allow":false,"access":"rwm"}]}
if len(resources.Devices) == 1 {
intptr := func(i int64) *int64 {
return &i
}
// adds the default devices for unix such as /dev/null, /dev/urandom to
// the container's resource cgroup spec
resources.Devices = append(resources.Devices, []specs.LinuxDeviceCgroup{
{
// "/dev/null",
Type: "c",
Major: intptr(1),
Minor: intptr(3),
Access: rwm,
Allow: true,
},
{
// "/dev/urandom",
Type: "c",
Major: intptr(1),
Minor: intptr(9),
Access: rwm,
Allow: true,
},
}...)
}
if spec.Linux.Resources.CPU != nil { if spec.Linux.Resources.CPU != nil {
resources.CPU = &specs.LinuxCPU{ resources.CPU = &specs.LinuxCPU{
Cpus: spec.Linux.Resources.CPU.Cpus, Cpus: spec.Linux.Resources.CPU.Cpus,