diff options
author | baude <bbaude@redhat.com> | 2018-02-14 12:51:06 -0600 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-02-15 00:20:47 +0000 |
commit | be9ed1cfacc19d1ad3c09e10481da445615b8b8e (patch) | |
tree | 1c0c01daf5b43c6139e37408be601475c1dcea41 /cmd/podman | |
parent | d051dc38d81920c94c37b20ceba0d33b35299bca (diff) | |
download | podman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.tar.gz podman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.tar.bz2 podman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.zip |
Privileged containers should inherit host devices
When running a privileged container, it should inherit the same
devices the host has.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #330
Approved by: mheon
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/spec.go | 46 |
1 files changed, 44 insertions, 2 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go index 3a2402d0e..c5ed2c0d4 100644 --- a/cmd/podman/spec.go +++ b/cmd/podman/spec.go @@ -2,6 +2,7 @@ package main import ( "io/ioutil" + "os" "strconv" "strings" @@ -10,6 +11,7 @@ import ( "github.com/docker/docker/pkg/mount" "github.com/docker/docker/profiles/seccomp" "github.com/docker/go-units" + "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/devices" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -23,6 +25,9 @@ import ( const cpuPeriod = 100000 +func u32Ptr(i int64) *uint32 { u := uint32(i); return &u } +func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm } + func blockAccessToKernelFilesystems(config *createConfig, g *generate.Generator) { if !config.Privileged { for _, mp := range []string{ @@ -241,10 +246,19 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { } // Devices - for _, device := range config.Devices { - if err := addDevice(&g, device); err != nil { + if config.Privileged { + // If privileged, we need to add all the host devices to the + // spec. We do not add the user provided ones because we are + // already adding them all. + if err := config.AddPrivilegedDevices(&g); err != nil { return nil, err } + } else { + for _, device := range config.Devices { + if err := addDevice(&g, device); err != nil { + return nil, err + } + } } // SECURITY OPTS @@ -685,3 +699,31 @@ func (c *createConfig) CreatePortBindings() ([]ocicni.PortMapping, error) { } return portBindings, nil } + +// AddPrivilegedDevices iterates through host devices and adds all +// host devices to the spec +func (c *createConfig) AddPrivilegedDevices(g *generate.Generator) error { + hostDevices, err := devices.HostDevices() + if err != nil { + return err + } + g.ClearLinuxDevices() + for _, d := range hostDevices { + g.AddDevice(Device(d)) + } + g.AddLinuxResourcesDevice(true, "", nil, nil, "rwm") + return nil +} + +// Device transforms a libcontainer configs.Device to a specs.LinuxDevice object. +func Device(d *configs.Device) spec.LinuxDevice { + return spec.LinuxDevice{ + Type: string(d.Type), + Path: d.Path, + Major: d.Major, + Minor: d.Minor, + FileMode: fmPtr(int64(d.FileMode)), + UID: u32Ptr(int64(d.Uid)), + GID: u32Ptr(int64(d.Gid)), + } +} |