Skip to content

Commit b67ea85

Browse files
crosbymichaelcrosbymichael
committed
Add opt for default unix device permissions
These opts either inherit the parent cgroup device.list or append the default unix devices like /dev/null /dev/random so that the container has access. Signed-off-by: Michael Crosby <[email protected]>
1 parent a69a0b0 commit b67ea85

File tree

2 files changed

+105
-1
lines changed

2 files changed

+105
-1
lines changed

cmd/ctr/commands/run/run_unix.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
5656
if context.IsSet("config") {
5757
opts = append(opts, oci.WithSpecFromFile(context.String("config")))
5858
} else {
59-
opts = append(opts, oci.WithDefaultSpec())
59+
opts = append(opts, oci.WithDefaultSpec(), oci.WithDefaultUnixDevices)
6060
}
6161

6262
opts = append(opts, oci.WithEnv(context.StringSlice("env")))

oci/spec_opts_unix.go

+104
Original file line numberDiff line numberDiff line change
@@ -602,6 +602,110 @@ func WithSeccompUnconfined(_ context.Context, _ Client, _ *containers.Container,
602602
return nil
603603
}
604604

605+
// WithParentCgroupDevices uses the default cgroup setup to inherit the container's parent cgroup's
606+
// allowed and denied devices
607+
func WithParentCgroupDevices(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
608+
setLinux(s)
609+
if s.Linux.Resources == nil {
610+
s.Linux.Resources = &specs.LinuxResources{}
611+
}
612+
s.Linux.Resources.Devices = nil
613+
return nil
614+
}
615+
616+
// WithDefaultUnixDevices adds the default devices for unix such as /dev/null, /dev/random to
617+
// the container's resource cgroup spec
618+
func WithDefaultUnixDevices(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
619+
setLinux(s)
620+
if s.Linux.Resources == nil {
621+
s.Linux.Resources = &specs.LinuxResources{}
622+
}
623+
intptr := func(i int64) *int64 {
624+
return &i
625+
}
626+
s.Linux.Resources.Devices = append(s.Linux.Resources.Devices, []specs.LinuxDeviceCgroup{
627+
{
628+
// "/dev/null",
629+
Type: "c",
630+
Major: intptr(1),
631+
Minor: intptr(3),
632+
Access: rwm,
633+
Allow: true,
634+
},
635+
{
636+
// "/dev/random",
637+
Type: "c",
638+
Major: intptr(1),
639+
Minor: intptr(8),
640+
Access: rwm,
641+
Allow: true,
642+
},
643+
{
644+
// "/dev/full",
645+
Type: "c",
646+
Major: intptr(1),
647+
Minor: intptr(7),
648+
Access: rwm,
649+
Allow: true,
650+
},
651+
{
652+
// "/dev/tty",
653+
Type: "c",
654+
Major: intptr(5),
655+
Minor: intptr(0),
656+
Access: rwm,
657+
Allow: true,
658+
},
659+
{
660+
// "/dev/zero",
661+
Type: "c",
662+
Major: intptr(1),
663+
Minor: intptr(5),
664+
Access: rwm,
665+
Allow: true,
666+
},
667+
{
668+
// "/dev/urandom",
669+
Type: "c",
670+
Major: intptr(1),
671+
Minor: intptr(9),
672+
Access: rwm,
673+
Allow: true,
674+
},
675+
{
676+
// "/dev/console",
677+
Type: "c",
678+
Major: intptr(5),
679+
Minor: intptr(1),
680+
Access: rwm,
681+
Allow: true,
682+
},
683+
// /dev/pts/ - pts namespaces are "coming soon"
684+
{
685+
Type: "c",
686+
Major: intptr(136),
687+
Access: rwm,
688+
Allow: true,
689+
},
690+
{
691+
Type: "c",
692+
Major: intptr(5),
693+
Minor: intptr(2),
694+
Access: rwm,
695+
Allow: true,
696+
},
697+
{
698+
// tuntap
699+
Type: "c",
700+
Major: intptr(10),
701+
Minor: intptr(200),
702+
Access: rwm,
703+
Allow: true,
704+
},
705+
}...)
706+
return nil
707+
}
708+
605709
// WithPrivileged sets up options for a privileged container
606710
// TODO(justincormack) device handling
607711
var WithPrivileged = Compose(

0 commit comments

Comments
 (0)