2015-02-01 11:56:27 +08:00
|
|
|
package configs
|
|
|
|
|
|
|
|
import (
|
2020-05-07 11:59:36 +08:00
|
|
|
"errors"
|
2015-02-01 11:56:27 +08:00
|
|
|
"fmt"
|
|
|
|
"os"
|
2020-05-07 11:59:36 +08:00
|
|
|
"strconv"
|
|
|
|
|
|
|
|
"golang.org/x/sys/unix"
|
2015-02-01 11:56:27 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
Wildcard = -1
|
|
|
|
)
|
|
|
|
|
2015-05-14 06:42:16 +08:00
|
|
|
// TODO Windows: This can be factored out in the future
|
|
|
|
|
2015-02-01 11:56:27 +08:00
|
|
|
type Device struct {
|
2020-05-07 11:59:36 +08:00
|
|
|
DeviceRule
|
2015-02-04 09:44:58 +08:00
|
|
|
|
|
|
|
// Path to the device.
|
2015-02-12 08:45:23 +08:00
|
|
|
Path string `json:"path"`
|
2015-02-04 09:44:58 +08:00
|
|
|
|
|
|
|
// FileMode permission bits for the device.
|
2015-02-12 08:45:23 +08:00
|
|
|
FileMode os.FileMode `json:"file_mode"`
|
2015-02-04 09:44:58 +08:00
|
|
|
|
|
|
|
// Uid of the device.
|
2015-02-12 08:45:23 +08:00
|
|
|
Uid uint32 `json:"uid"`
|
2015-02-04 09:44:58 +08:00
|
|
|
|
|
|
|
// Gid of the device.
|
2015-02-12 08:45:23 +08:00
|
|
|
Gid uint32 `json:"gid"`
|
2020-05-07 11:59:36 +08:00
|
|
|
}
|
2016-02-06 07:15:25 +08:00
|
|
|
|
2020-05-07 11:59:36 +08:00
|
|
|
// DevicePermissions is a cgroupv1-style string to represent device access. It
|
|
|
|
// has to be a string for backward compatibility reasons, hence why it has
|
|
|
|
// methods to do set operations.
|
|
|
|
type DevicePermissions string
|
|
|
|
|
|
|
|
const (
|
|
|
|
deviceRead uint = (1 << iota)
|
|
|
|
deviceWrite
|
|
|
|
deviceMknod
|
|
|
|
)
|
|
|
|
|
|
|
|
func (p DevicePermissions) toSet() uint {
|
|
|
|
var set uint
|
|
|
|
for _, perm := range p {
|
|
|
|
switch perm {
|
|
|
|
case 'r':
|
|
|
|
set |= deviceRead
|
|
|
|
case 'w':
|
|
|
|
set |= deviceWrite
|
|
|
|
case 'm':
|
|
|
|
set |= deviceMknod
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return set
|
|
|
|
}
|
|
|
|
|
|
|
|
func fromSet(set uint) DevicePermissions {
|
|
|
|
var perm string
|
|
|
|
if set&deviceRead == deviceRead {
|
|
|
|
perm += "r"
|
|
|
|
}
|
|
|
|
if set&deviceWrite == deviceWrite {
|
|
|
|
perm += "w"
|
|
|
|
}
|
|
|
|
if set&deviceMknod == deviceMknod {
|
|
|
|
perm += "m"
|
|
|
|
}
|
|
|
|
return DevicePermissions(perm)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Union returns the union of the two sets of DevicePermissions.
|
|
|
|
func (p DevicePermissions) Union(o DevicePermissions) DevicePermissions {
|
|
|
|
lhs := p.toSet()
|
|
|
|
rhs := o.toSet()
|
|
|
|
return fromSet(lhs | rhs)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Difference returns the set difference of the two sets of DevicePermissions.
|
|
|
|
// In set notation, A.Difference(B) gives you A\B.
|
|
|
|
func (p DevicePermissions) Difference(o DevicePermissions) DevicePermissions {
|
|
|
|
lhs := p.toSet()
|
|
|
|
rhs := o.toSet()
|
|
|
|
return fromSet(lhs &^ rhs)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Intersection computes the intersection of the two sets of DevicePermissions.
|
|
|
|
func (p DevicePermissions) Intersection(o DevicePermissions) DevicePermissions {
|
|
|
|
lhs := p.toSet()
|
|
|
|
rhs := o.toSet()
|
|
|
|
return fromSet(lhs & rhs)
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsEmpty returns whether the set of permissions in a DevicePermissions is
|
|
|
|
// empty.
|
|
|
|
func (p DevicePermissions) IsEmpty() bool {
|
|
|
|
return p == DevicePermissions("")
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsValid returns whether the set of permissions is a subset of valid
|
|
|
|
// permissions (namely, {r,w,m}).
|
|
|
|
func (p DevicePermissions) IsValid() bool {
|
|
|
|
return p == fromSet(p.toSet())
|
|
|
|
}
|
|
|
|
|
|
|
|
type DeviceType rune
|
|
|
|
|
|
|
|
const (
|
|
|
|
WildcardDevice DeviceType = 'a'
|
|
|
|
BlockDevice DeviceType = 'b'
|
|
|
|
CharDevice DeviceType = 'c' // or 'u'
|
|
|
|
FifoDevice DeviceType = 'p'
|
|
|
|
)
|
|
|
|
|
|
|
|
func (t DeviceType) IsValid() bool {
|
|
|
|
switch t {
|
|
|
|
case WildcardDevice, BlockDevice, CharDevice, FifoDevice:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
2015-02-01 11:56:27 +08:00
|
|
|
}
|
|
|
|
|
2020-05-07 11:59:36 +08:00
|
|
|
func (t DeviceType) CanMknod() bool {
|
|
|
|
switch t {
|
|
|
|
case BlockDevice, CharDevice, FifoDevice:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t DeviceType) CanCgroup() bool {
|
|
|
|
switch t {
|
|
|
|
case WildcardDevice, BlockDevice, CharDevice:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
2015-02-01 11:56:27 +08:00
|
|
|
}
|
|
|
|
|
2020-05-07 11:59:36 +08:00
|
|
|
type DeviceRule struct {
|
|
|
|
// Type of device ('c' for char, 'b' for block). If set to 'a', this rule
|
|
|
|
// acts as a wildcard and all fields other than Allow are ignored.
|
|
|
|
Type DeviceType `json:"type"`
|
|
|
|
|
|
|
|
// Major is the device's major number.
|
|
|
|
Major int64 `json:"major"`
|
|
|
|
|
|
|
|
// Minor is the device's minor number.
|
|
|
|
Minor int64 `json:"minor"`
|
|
|
|
|
|
|
|
// Permissions is the set of permissions that this rule applies to (in the
|
|
|
|
// cgroupv1 format -- any combination of "rwm").
|
|
|
|
Permissions DevicePermissions `json:"permissions"`
|
|
|
|
|
|
|
|
// Allow specifies whether this rule is allowed.
|
|
|
|
Allow bool `json:"allow"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (d *DeviceRule) CgroupString() string {
|
|
|
|
var (
|
|
|
|
major = strconv.FormatInt(d.Major, 10)
|
|
|
|
minor = strconv.FormatInt(d.Minor, 10)
|
|
|
|
)
|
|
|
|
if d.Major == Wildcard {
|
|
|
|
major = "*"
|
|
|
|
}
|
|
|
|
if d.Minor == Wildcard {
|
|
|
|
minor = "*"
|
|
|
|
}
|
|
|
|
return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
|
2015-02-01 11:56:27 +08:00
|
|
|
}
|
|
|
|
|
2020-05-07 11:59:36 +08:00
|
|
|
func (d *DeviceRule) Mkdev() (uint64, error) {
|
|
|
|
if d.Major == Wildcard || d.Minor == Wildcard {
|
|
|
|
return 0, errors.New("cannot mkdev() device with wildcards")
|
2015-02-01 11:56:27 +08:00
|
|
|
}
|
2020-05-07 11:59:36 +08:00
|
|
|
return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
|
2015-02-01 11:56:27 +08:00
|
|
|
}
|