Docker from 1.7.0 tries to add "a" to devices.allow for newly created privileged container device_cgroup, and thus to allow all devices in docker container. Docker fails to do so because not all devices are allowed in parent VZCT cgroup.
To support docker we must allow writing "a" to devices.allow in CT. With this patch if we get "a", we will silently exit without EPERM. https://jira.sw.ru/browse/PSBM-38691 v2: fix bug link, fix comment stile Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> --- security/device_cgroup.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 531e40c..9f932d7 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -689,7 +689,14 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, if (has_children(devcgroup)) return -EINVAL; - if (!may_allow_all(parent)) + if (!may_allow_all(parent)) { + if (ve_is_super(get_exec_env())) + return -EPERM; + else + /* Fooling docker in CT - silently exit */ + return 0; + } + return -EPERM; dev_exception_clean(devcgroup); devcgroup->behavior = DEVCG_DEFAULT_ALLOW; -- 1.9.3 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
