cgroupv2: allow to set EnableAllDevices=true

In this case we just do not install any eBPF rules checking the devices. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-22 11:05:10 -07:00 · 2020-04-22 11:05:10 -07:00 · 75a92ea615
parent cdce577dcf
commit 75a92ea615
1 changed files with 6 additions and 2 deletions
--- a/libcontainer/cgroups/fs2/devices.go
+++ b/libcontainer/cgroups/fs2/devices.go
@ -40,11 +40,15 @@ func canSkipEBPFError(cgroup *configs.Cgroup) bool {

 func setDevices(dirPath string, cgroup *configs.Cgroup) error {
 	devices := cgroup.Devices
+	// never set by OCI specconv
 	if allowAllDevices := cgroup.Resources.AllowAllDevices; allowAllDevices != nil {
-		// never set by OCI specconv, but *allowAllDevices=false is still used by the integration test
 		if *allowAllDevices == true {
-			return errors.New("libcontainer AllowAllDevices is not supported, use Devices")
+			if len(cgroup.Resources.DeniedDevices) != 0 {
+				return errors.New("libcontainer: can't use DeniedDevices together with AllowAllDevices")
+			}
+			return nil
 		}
+		// *allowAllDevices=false is still used by the integration test
 		for _, ad := range cgroup.Resources.AllowedDevices {
 			d := *ad
 			d.Allow = true