2015-05-14 06:42:16 +08:00
|
|
|
// +build linux
|
|
|
|
|
2014-05-15 06:21:44 +08:00
|
|
|
package fs
|
|
|
|
|
2015-02-25 17:20:01 +08:00
|
|
|
import (
|
2015-06-22 10:29:59 +08:00
|
|
|
"github.com/opencontainers/runc/libcontainer/cgroups"
|
2019-11-07 16:25:49 +08:00
|
|
|
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
|
2015-06-22 10:29:59 +08:00
|
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
2016-02-17 08:43:42 +08:00
|
|
|
"github.com/opencontainers/runc/libcontainer/system"
|
2015-02-25 17:20:01 +08:00
|
|
|
)
|
2014-05-28 08:01:08 +08:00
|
|
|
|
2014-06-20 21:13:56 +08:00
|
|
|
type DevicesGroup struct {
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
|
|
|
|
2015-10-16 06:19:23 +08:00
|
|
|
func (s *DevicesGroup) Name() string {
|
|
|
|
return "devices"
|
|
|
|
}
|
|
|
|
|
2015-11-05 18:41:08 +08:00
|
|
|
func (s *DevicesGroup) Apply(d *cgroupData) error {
|
2015-12-20 19:30:35 +08:00
|
|
|
_, err := d.join("devices")
|
2014-05-15 06:21:44 +08:00
|
|
|
if err != nil {
|
2015-04-22 10:18:22 +08:00
|
|
|
// We will return error even it's `not found` error, devices
|
|
|
|
// cgroup is hard requirement for container's security.
|
2015-03-24 03:14:03 +08:00
|
|
|
return err
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-02-25 17:20:01 +08:00
|
|
|
func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
|
2016-02-17 08:43:42 +08:00
|
|
|
if system.RunningInUserNS() {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-02-06 07:15:25 +08:00
|
|
|
devices := cgroup.Resources.Devices
|
|
|
|
if len(devices) > 0 {
|
|
|
|
for _, dev := range devices {
|
|
|
|
file := "devices.deny"
|
|
|
|
if dev.Allow {
|
|
|
|
file = "devices.allow"
|
|
|
|
}
|
2019-11-07 16:25:49 +08:00
|
|
|
if err := fscommon.WriteFile(path, file, dev.CgroupString()); err != nil {
|
2016-02-06 07:15:25 +08:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2016-07-21 01:46:11 +08:00
|
|
|
if cgroup.Resources.AllowAllDevices != nil {
|
|
|
|
if *cgroup.Resources.AllowAllDevices == false {
|
2019-11-07 16:25:49 +08:00
|
|
|
if err := fscommon.WriteFile(path, "devices.deny", "a"); err != nil {
|
2015-02-25 17:20:01 +08:00
|
|
|
return err
|
|
|
|
}
|
2016-07-21 01:46:11 +08:00
|
|
|
|
|
|
|
for _, dev := range cgroup.Resources.AllowedDevices {
|
2019-11-07 16:25:49 +08:00
|
|
|
if err := fscommon.WriteFile(path, "devices.allow", dev.CgroupString()); err != nil {
|
2016-07-21 01:46:11 +08:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
2015-02-25 17:20:01 +08:00
|
|
|
}
|
2015-03-31 16:36:00 +08:00
|
|
|
|
2019-11-07 16:25:49 +08:00
|
|
|
if err := fscommon.WriteFile(path, "devices.allow", "a"); err != nil {
|
2016-07-21 01:46:11 +08:00
|
|
|
return err
|
|
|
|
}
|
2015-03-31 16:36:00 +08:00
|
|
|
}
|
|
|
|
|
2015-12-15 08:26:29 +08:00
|
|
|
for _, dev := range cgroup.Resources.DeniedDevices {
|
2019-11-07 16:25:49 +08:00
|
|
|
if err := fscommon.WriteFile(path, "devices.deny", dev.CgroupString()); err != nil {
|
2015-03-31 16:36:00 +08:00
|
|
|
return err
|
|
|
|
}
|
2015-02-25 17:20:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-11-05 18:41:08 +08:00
|
|
|
func (s *DevicesGroup) Remove(d *cgroupData) error {
|
2014-05-15 06:21:44 +08:00
|
|
|
return removePath(d.path("devices"))
|
|
|
|
}
|
|
|
|
|
2014-06-20 21:13:56 +08:00
|
|
|
func (s *DevicesGroup) GetStats(path string, stats *cgroups.Stats) error {
|
2014-05-28 08:01:08 +08:00
|
|
|
return nil
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|