diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2021-07-09 16:01:35 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2021-07-21 16:10:09 -0400 |
commit | 3e79296a81ad723c6c3e8ea7d9ca142dfa8fbdf3 (patch) | |
tree | e8bd1f72e0f4a3fdaf290375e75b31e00bab8d56 /cmd/podman | |
parent | 6370622444676db812cbc54aef56e691ea7788d0 (diff) | |
download | podman-3e79296a81ad723c6c3e8ea7d9ca142dfa8fbdf3.tar.gz podman-3e79296a81ad723c6c3e8ea7d9ca142dfa8fbdf3.tar.bz2 podman-3e79296a81ad723c6c3e8ea7d9ca142dfa8fbdf3.zip |
Support DeviceCgroupRules to actually get added.
Fixes: https://github.com/containers/podman/issues/10302
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/common/specgen.go | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index 2f45e559d..24b45e479 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -566,6 +566,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string s.Devices = append(s.Devices, specs.LinuxDevice{Path: dev}) } + for _, rule := range c.DeviceCGroupRule { + dev, err := parseLinuxResourcesDeviceAccess(rule) + if err != nil { + return err + } + s.DeviceCGroupRule = append(s.DeviceCGroupRule, dev) + } + s.Init = c.Init s.InitPath = c.InitPath s.Stdin = c.Interactive @@ -885,3 +893,58 @@ func parseSecrets(secrets []string) ([]specgen.Secret, map[string]string, error) } return mount, envs, nil } + +var cgroupDeviceType = map[string]bool{ + "a": true, // all + "b": true, // block device + "c": true, // character device +} + +var cgroupDeviceAccess = map[string]bool{ + "r": true, //read + "w": true, //write + "m": true, //mknod +} + +// parseLinuxResourcesDeviceAccess parses the raw string passed with the --device-access-add flag +func parseLinuxResourcesDeviceAccess(device string) (specs.LinuxDeviceCgroup, error) { + var devType, access string + var major, minor *int64 + + value := strings.Split(device, " ") + if len(value) != 3 { + return specs.LinuxDeviceCgroup{}, fmt.Errorf("invalid device cgroup rule requires type, major:Minor, and access rules: %q", device) + } + + devType = value[0] + if !cgroupDeviceType[devType] { + return specs.LinuxDeviceCgroup{}, fmt.Errorf("invalid device type in device-access-add: %s", devType) + } + + number := strings.SplitN(value[1], ":", 2) + i, err := strconv.ParseInt(number[0], 10, 64) + if err != nil { + return specs.LinuxDeviceCgroup{}, err + } + major = &i + if len(number) == 2 && number[1] != "*" { + i, err := strconv.ParseInt(number[1], 10, 64) + if err != nil { + return specs.LinuxDeviceCgroup{}, err + } + minor = &i + } + access = value[2] + for _, c := range strings.Split(access, "") { + if !cgroupDeviceAccess[c] { + return specs.LinuxDeviceCgroup{}, fmt.Errorf("invalid device access in device-access-add: %s", c) + } + } + return specs.LinuxDeviceCgroup{ + Allow: true, + Type: devType, + Major: major, + Minor: minor, + Access: access, + }, nil +} |