github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-25 23:11:57 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2603 from Bevisy/main-2539

Browse Source 
sandbox: Add device permissions such as /dev/null to cgroup
This commit is contained in:
Samuel Ortiz 2021-09-13 11:04:51 +02:00 committed by GitHub
commit 75ef8c243a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/runtime/virtcontainers/sandbox.go
View File

@ -65,6 +65,7 @@ const (
DirMode = os.FileMode(0750) | os.ModeDir
mkswapPath = "/sbin/mkswap"
rwm = "rwm"
)
var (
@ -580,6 +581,34 @@ func (s *Sandbox) createCgroupManager() error {
if spec.Linux.Resources != nil {
resources.Devices = spec.Linux.Resources.Devices
// spec.Linux.Resources.Devices default only contain {"devices":[{"allow":false,"access":"rwm"}]}
if len(resources.Devices) == 1 {
intptr := func(i int64) *int64 {
return &i
}
// adds the default devices for unix such as /dev/null, /dev/urandom to
// the container's resource cgroup spec
resources.Devices = append(resources.Devices, []specs.LinuxDeviceCgroup{
{
// "/dev/null",
Type: "c",
Major: intptr(1),
Minor: intptr(3),
Access: rwm,
Allow: true,
},
{
// "/dev/urandom",
Type: "c",
Major: intptr(1),
Minor: intptr(9),
Access: rwm,
Allow: true,
},
}...)
}
if spec.Linux.Resources.CPU != nil {
resources.CPU = &specs.LinuxCPU{
Cpus: spec.Linux.Resources.CPU.Cpus,