aboutsummaryrefslogtreecommitdiff
path: root/cmd
diff options
context:
space:
mode:
authorbaude <bbaude@redhat.com>2018-02-14 12:51:06 -0600
committerAtomic Bot <atomic-devel@projectatomic.io>2018-02-15 00:20:47 +0000
commitbe9ed1cfacc19d1ad3c09e10481da445615b8b8e (patch)
tree1c0c01daf5b43c6139e37408be601475c1dcea41 /cmd
parentd051dc38d81920c94c37b20ceba0d33b35299bca (diff)
downloadpodman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.tar.gz
podman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.tar.bz2
podman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.zip
Privileged containers should inherit host devices
When running a privileged container, it should inherit the same devices the host has. Signed-off-by: baude <bbaude@redhat.com> Closes: #330 Approved by: mheon
Diffstat (limited to 'cmd')
-rw-r--r--cmd/podman/spec.go46
1 files changed, 44 insertions, 2 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index 3a2402d0e..c5ed2c0d4 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -2,6 +2,7 @@ package main
import (
"io/ioutil"
+ "os"
"strconv"
"strings"
@@ -10,6 +11,7 @@ import (
"github.com/docker/docker/pkg/mount"
"github.com/docker/docker/profiles/seccomp"
"github.com/docker/go-units"
+ "github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/devices"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
@@ -23,6 +25,9 @@ import (
const cpuPeriod = 100000
+func u32Ptr(i int64) *uint32 { u := uint32(i); return &u }
+func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }
+
func blockAccessToKernelFilesystems(config *createConfig, g *generate.Generator) {
if !config.Privileged {
for _, mp := range []string{
@@ -241,10 +246,19 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
}
// Devices
- for _, device := range config.Devices {
- if err := addDevice(&g, device); err != nil {
+ if config.Privileged {
+ // If privileged, we need to add all the host devices to the
+ // spec. We do not add the user provided ones because we are
+ // already adding them all.
+ if err := config.AddPrivilegedDevices(&g); err != nil {
return nil, err
}
+ } else {
+ for _, device := range config.Devices {
+ if err := addDevice(&g, device); err != nil {
+ return nil, err
+ }
+ }
}
// SECURITY OPTS
@@ -685,3 +699,31 @@ func (c *createConfig) CreatePortBindings() ([]ocicni.PortMapping, error) {
}
return portBindings, nil
}
+
+// AddPrivilegedDevices iterates through host devices and adds all
+// host devices to the spec
+func (c *createConfig) AddPrivilegedDevices(g *generate.Generator) error {
+ hostDevices, err := devices.HostDevices()
+ if err != nil {
+ return err
+ }
+ g.ClearLinuxDevices()
+ for _, d := range hostDevices {
+ g.AddDevice(Device(d))
+ }
+ g.AddLinuxResourcesDevice(true, "", nil, nil, "rwm")
+ return nil
+}
+
+// Device transforms a libcontainer configs.Device to a specs.LinuxDevice object.
+func Device(d *configs.Device) spec.LinuxDevice {
+ return spec.LinuxDevice{
+ Type: string(d.Type),
+ Path: d.Path,
+ Major: d.Major,
+ Minor: d.Minor,
+ FileMode: fmPtr(int64(d.FileMode)),
+ UID: u32Ptr(int64(d.Uid)),
+ GID: u32Ptr(int64(d.Gid)),
+ }
+}