configs: use different types for .Devices and .Resources.Devices

cyphar · cyphar · commit 24388be71e1a · 2020-05-13T17:38:45.000+10:00
Making them the same type is simply confusing, but also means that you
could accidentally use one in the wrong context. This eliminates that
problem. This also includes a whole bunch of cleanups for the types
within DeviceRule, so that they can be used more ergonomically.

Signed-off-by: Aleksa Sarai &lt;asarai@suse.de&gt;
diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter.go
@@ -22,7 +22,7 @@ const (
 )
 
 // DeviceFilter returns eBPF device filter program and its license string
-func DeviceFilter(devices []*configs.Device) (asm.Instructions, string, error) {
+func DeviceFilter(devices []*configs.DeviceRule) (asm.Instructions, string, error) {
 	p := &program{}
 	p.init()
 	for i := len(devices) - 1; i >= 0; i-- {
@@ -68,7 +68,7 @@ func (p *program) init() {
 }
 
 // appendDevice needs to be called from the last element of OCI linux.resources.devices to the head element.
-func (p *program) appendDevice(dev *configs.Device) error {
+func (p *program) appendDevice(dev *configs.DeviceRule) error {
 	if p.blockID < 0 {
 		return errors.New("the program is finalized")
 	}
diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
@@ -20,7 +20,7 @@ func hash(s, comm string) string {
 	return strings.Join(res, "\n")
 }
 
-func testDeviceFilter(t testing.TB, devices []*configs.Device, expectedStr string) {
+func testDeviceFilter(t testing.TB, devices []*configs.DeviceRule, expectedStr string) {
 	insts, _, err := DeviceFilter(devices)
 	if err != nil {
 		t.Fatalf("%s: %v (devices: %+v)", t.Name(), err, devices)
@@ -137,11 +137,15 @@ block-11:
         62: Mov32Imm dst: r0 imm: 0
         63: Exit
 `
-	testDeviceFilter(t, specconv.AllowedDevices, expected)
+	var devices []*configs.DeviceRule
+	for _, device := range specconv.AllowedDevices {
+		devices = append(devices, &device.DeviceRule)
+	}
+	testDeviceFilter(t, devices, expected)
 }
 
 func TestDeviceFilter_Privileged(t *testing.T) {
-	devices := []*configs.Device{
+	devices := []*configs.DeviceRule{
 		{
 			Type:        'a',
 			Major:       -1,
@@ -168,7 +172,7 @@ block-0:
 }
 
 func TestDeviceFilter_PrivilegedExceptSingleDevice(t *testing.T) {
-	devices := []*configs.Device{
+	devices := []*configs.DeviceRule{
 		{
 			Type:        'a',
 			Major:       -1,
@@ -208,7 +212,7 @@ block-1:
 }
 
 func TestDeviceFilter_Weird(t *testing.T) {
-	devices := []*configs.Device{
+	devices := []*configs.DeviceRule{
 		{
 			Type:        'b',
 			Major:       8,
diff --git a/libcontainer/cgroups/fs/devices_test.go b/libcontainer/cgroups/fs/devices_test.go
@@ -18,14 +18,12 @@ func TestDevicesSetAllow(t *testing.T) {
 		"devices.deny":  "",
 	})
 
-	helper.CgroupData.config.Resources.Devices = []*configs.Device{
+	helper.CgroupData.config.Resources.Devices = []*configs.DeviceRule{
 		{
-			Path:        "/dev/zero",
-			Type:        'c',
+			Type:        configs.CharDevice,
 			Major:       1,
 			Minor:       5,
-			Permissions: "rwm",
-			FileMode:    0666,
+			Permissions: configs.DevicePermissions("rwm"),
 			Allow:       true,
 		},
 	}
diff --git a/libcontainer/cgroups/fs2/devices.go b/libcontainer/cgroups/fs2/devices.go
@@ -10,12 +10,10 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-func isRWM(cgroupPermissions string) bool {
-	r := false
-	w := false
-	m := false
-	for _, rn := range cgroupPermissions {
-		switch rn {
+func isRWM(perms configs.DevicePermissions) bool {
+	var r, w, m bool
+	for _, perm := range perms {
+		switch perm {
 		case 'r':
 			r = true
 		case 'w':
diff --git a/libcontainer/configs/cgroup_linux.go b/libcontainer/configs/cgroup_linux.go
@@ -42,7 +42,7 @@ type Cgroup struct {
 
 type Resources struct {
 	// Devices is the set of access rules for devices in the container.
-	Devices []*Device `json:"devices"`
+	Devices []*DeviceRule `json:"devices"`
 
 	// Memory limit (in bytes)
 	Memory int64 `json:"memory"`
diff --git a/libcontainer/configs/device.go b/libcontainer/configs/device.go
@@ -1,8 +1,12 @@
 package configs
 
 import (
+	"errors"
 	"fmt"
 	"os"
+	"strconv"
+
+	"golang.org/x/sys/unix"
 )
 
 const (
@@ -12,21 +16,11 @@ const (
 // TODO Windows: This can be factored out in the future
 
 type Device struct {
-	// Device type, block, char, etc.
-	Type rune `json:"type"`
+	DeviceRule
 
 	// Path to the device.
 	Path string `json:"path"`
 
-	// Major is the device's major number.
-	Major int64 `json:"major"`
-
-	// Minor is the device's minor number.
-	Minor int64 `json:"minor"`
-
-	// Cgroup permissions format, rwm.
-	Permissions string `json:"permissions"`
-
 	// FileMode permission bits for the device.
 	FileMode os.FileMode `json:"file_mode"`
 
@@ -35,23 +29,154 @@ type Device struct {
 
 	// Gid of the device.
 	Gid uint32 `json:"gid"`
+}
 
-	// Write the file to the allowed list
-	Allow bool `json:"allow"`
+// DevicePermissions is a cgroupv1-style string to represent device access. It
+// has to be a string for backward compatibility reasons, hence why it has
+// methods to do set operations.
+type DevicePermissions string
+
+const (
+	deviceRead uint = (1 << iota)
+	deviceWrite
+	deviceMknod
+)
+
+func (p DevicePermissions) toSet() uint {
+	var set uint
+	for _, perm := range p {
+		switch perm {
+		case 'r':
+			set |= deviceRead
+		case 'w':
+			set |= deviceWrite
+		case 'm':
+			set |= deviceMknod
+		}
+	}
+	return set
+}
+
+func fromSet(set uint) DevicePermissions {
+	var perm string
+	if set&deviceRead == deviceRead {
+		perm += "r"
+	}
+	if set&deviceWrite == deviceWrite {
+		perm += "w"
+	}
+	if set&deviceMknod == deviceMknod {
+		perm += "m"
+	}
+	return DevicePermissions(perm)
+}
+
+// Union returns the union of the two sets of DevicePermissions.
+func (p DevicePermissions) Union(o DevicePermissions) DevicePermissions {
+	lhs := p.toSet()
+	rhs := o.toSet()
+	return fromSet(lhs | rhs)
+}
+
+// Difference returns the set difference of the two sets of DevicePermissions.
+// In set notation, A.Difference(B) gives you A\B.
+func (p DevicePermissions) Difference(o DevicePermissions) DevicePermissions {
+	lhs := p.toSet()
+	rhs := o.toSet()
+	return fromSet(lhs &^ rhs)
+}
+
+// Intersection computes the intersection of the two sets of DevicePermissions.
+func (p DevicePermissions) Intersection(o DevicePermissions) DevicePermissions {
+	lhs := p.toSet()
+	rhs := o.toSet()
+	return fromSet(lhs & rhs)
+}
+
+// IsEmpty returns whether the set of permissions in a DevicePermissions is
+// empty.
+func (p DevicePermissions) IsEmpty() bool {
+	return p == DevicePermissions("")
+}
+
+// IsValid returns whether the set of permissions is a subset of valid
+// permissions (namely, {r,w,m}).
+func (p DevicePermissions) IsValid() bool {
+	return p == fromSet(p.toSet())
+}
+
+type DeviceType rune
+
+const (
+	WildcardDevice DeviceType = 'a'
+	BlockDevice    DeviceType = 'b'
+	CharDevice     DeviceType = 'c' // or 'u'
+	FifoDevice     DeviceType = 'p'
+)
+
+func (t DeviceType) IsValid() bool {
+	switch t {
+	case WildcardDevice, BlockDevice, CharDevice, FifoDevice:
+		return true
+	default:
+		return false
+	}
 }
 
-func (d *Device) CgroupString() string {
-	return fmt.Sprintf("%c %s:%s %s", d.Type, deviceNumberString(d.Major), deviceNumberString(d.Minor), d.Permissions)
+func (t DeviceType) CanMknod() bool {
+	switch t {
+	case BlockDevice, CharDevice, FifoDevice:
+		return true
+	default:
+		return false
+	}
+}
+
+func (t DeviceType) CanCgroup() bool {
+	switch t {
+	case WildcardDevice, BlockDevice, CharDevice:
+		return true
+	default:
+		return false
+	}
 }
 
-func (d *Device) Mkdev() int {
-	return int((d.Major << 8) | (d.Minor & 0xff) | ((d.Minor & 0xfff00) << 12))
+type DeviceRule struct {
+	// Type of device ('c' for char, 'b' for block). If set to 'a', this rule
+	// acts as a wildcard and all fields other than Allow are ignored.
+	Type DeviceType `json:"type"`
+
+	// Major is the device's major number.
+	Major int64 `json:"major"`
+
+	// Minor is the device's minor number.
+	Minor int64 `json:"minor"`
+
+	// Permissions is the set of permissions that this rule applies to (in the
+	// cgroupv1 format -- any combination of "rwm").
+	Permissions DevicePermissions `json:"permissions"`
+
+	// Allow specifies whether this rule is allowed.
+	Allow bool `json:"allow"`
+}
+
+func (d *DeviceRule) CgroupString() string {
+	var (
+		major = strconv.FormatInt(d.Major, 10)
+		minor = strconv.FormatInt(d.Minor, 10)
+	)
+	if d.Major == Wildcard {
+		major = "*"
+	}
+	if d.Minor == Wildcard {
+		minor = "*"
+	}
+	return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
 }
 
-// deviceNumberString converts the device number to a string return result.
-func deviceNumberString(number int64) string {
-	if number == Wildcard {
-		return "*"
+func (d *DeviceRule) Mkdev() (uint64, error) {
+	if d.Major == Wildcard || d.Minor == Wildcard {
+		return 0, errors.New("cannot mkdev() device with wildcards")
 	}
-	return fmt.Sprint(number)
+	return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
 }
diff --git a/libcontainer/devices/devices.go b/libcontainer/devices/devices.go
@@ -31,33 +31,33 @@ func DeviceFromPath(path, permissions string) (*configs.Device, error) {
 	}
 
 	var (
+		devType   configs.DeviceType
+		mode      = stat.Mode
 		devNumber = uint64(stat.Rdev)
 		major     = unix.Major(devNumber)
 		minor     = unix.Minor(devNumber)
 	)
-	if major == 0 {
-		return nil, ErrNotADevice
-	}
-
-	var (
-		devType rune
-		mode    = stat.Mode
-	)
 	switch {
 	case mode&unix.S_IFBLK == unix.S_IFBLK:
-		devType = 'b'
+		devType = configs.BlockDevice
 	case mode&unix.S_IFCHR == unix.S_IFCHR:
-		devType = 'c'
+		devType = configs.CharDevice
+	case mode&unix.S_IFIFO == unix.S_IFIFO:
+		devType = configs.FifoDevice
+	default:
+		return nil, ErrNotADevice
 	}
 	return &configs.Device{
-		Type:        devType,
-		Path:        path,
-		Major:       int64(major),
-		Minor:       int64(minor),
-		Permissions: permissions,
-		FileMode:    os.FileMode(mode),
-		Uid:         stat.Uid,
-		Gid:         stat.Gid,
+		DeviceRule: configs.DeviceRule{
+			Type:        devType,
+			Major:       int64(major),
+			Minor:       int64(minor),
+			Permissions: configs.DevicePermissions(permissions),
+		},
+		Path:     path,
+		FileMode: os.FileMode(mode),
+		Uid:      stat.Uid,
+		Gid:      stat.Gid,
 	}, nil
 }
 
diff --git a/libcontainer/integration/template_test.go b/libcontainer/integration/template_test.go
@@ -21,6 +21,10 @@ const defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
 // it uses a network strategy of just setting a loopback interface
 // and the default setup for devices
 func newTemplateConfig(rootfs string) *configs.Config {
+	var allowedDevices []*configs.DeviceRule
+	for _, device := range specconv.AllowedDevices {
+		allowedDevices = append(allowedDevices, &device.DeviceRule)
+	}
 	return &configs.Config{
 		Rootfs: rootfs,
 		Capabilities: &configs.Capabilities{
@@ -116,7 +120,7 @@ func newTemplateConfig(rootfs string) *configs.Config {
 			Path: "integration/test",
 			Resources: &configs.Resources{
 				MemorySwappiness: nil,
-				Devices:          specconv.AllowedDevices,
+				Devices:          allowedDevices,
 			},
 		},
 		MaskPaths: []string{
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ const (`
`22`	`22`	`)`
`23`	`23`
`24`	`24`	`// DeviceFilter returns eBPF device filter program and its license string`
`25`		`-func DeviceFilter(devices []*configs.Device) (asm.Instructions, string, error) {`
	`25`	`+func DeviceFilter(devices []*configs.DeviceRule) (asm.Instructions, string, error) {`
`26`	`26`	`p := &program{}`
`27`	`27`	`p.init()`
`28`	`28`	`for i := len(devices) - 1; i >= 0; i-- {`
`@@ -68,7 +68,7 @@ func (p *program) init() {`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`// appendDevice needs to be called from the last element of OCI linux.resources.devices to the head element.`
`71`		`-func (p program) appendDevice(dev configs.Device) error {`
	`71`	`+func (p program) appendDevice(dev configs.DeviceRule) error {`
`72`	`72`	`if p.blockID < 0 {`
`73`	`73`	`return errors.New("the program is finalized")`
`74`	`74`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ func hash(s, comm string) string {`
`20`	`20`	`return strings.Join(res, "\n")`
`21`	`21`	`}`
`22`	`22`
`23`		`-func testDeviceFilter(t testing.TB, devices []*configs.Device, expectedStr string) {`
	`23`	`+func testDeviceFilter(t testing.TB, devices []*configs.DeviceRule, expectedStr string) {`
`24`	`24`	`insts, _, err := DeviceFilter(devices)`
`25`	`25`	`if err != nil {`
`26`	`26`	`t.Fatalf("%s: %v (devices: %+v)", t.Name(), err, devices)`
`@@ -137,11 +137,15 @@ block-11:`
`137`	`137`	`62: Mov32Imm dst: r0 imm: 0`
`138`	`138`	`63: Exit`
`139`	`139`	`
`140`		`- testDeviceFilter(t, specconv.AllowedDevices, expected)`
	`140`	`+ var devices []*configs.DeviceRule`
	`141`	`+ for _, device := range specconv.AllowedDevices {`
	`142`	`+ devices = append(devices, &device.DeviceRule)`
	`143`	`+ }`
	`144`	`+ testDeviceFilter(t, devices, expected)`
`141`	`145`	`}`
`142`	`146`
`143`	`147`	`func TestDeviceFilter_Privileged(t *testing.T) {`
`144`		`- devices := []*configs.Device{`
	`148`	`+ devices := []*configs.DeviceRule{`
`145`	`149`	`{`
`146`	`150`	`Type: 'a',`
`147`	`151`	`Major: -1,`
`@@ -168,7 +172,7 @@ block-0:`
`168`	`172`	`}`
`169`	`173`
`170`	`174`	`func TestDeviceFilter_PrivilegedExceptSingleDevice(t *testing.T) {`
`171`		`- devices := []*configs.Device{`
	`175`	`+ devices := []*configs.DeviceRule{`
`172`	`176`	`{`
`173`	`177`	`Type: 'a',`
`174`	`178`	`Major: -1,`
`@@ -208,7 +212,7 @@ block-1:`
`208`	`212`	`}`
`209`	`213`
`210`	`214`	`func TestDeviceFilter_Weird(t *testing.T) {`
`211`		`- devices := []*configs.Device{`
	`215`	`+ devices := []*configs.DeviceRule{`
`212`	`216`	`{`
`213`	`217`	`Type: 'b',`
`214`	`218`	`Major: 8,`