On Wed, Oct 07, 2015 at 11:51:06AM +0300, Pavel Tikhomirov wrote:
> Docker from 1.7.0 tries to add "a" to devices.allow for newly created
> privileged container device_cgroup, and thus to allow all devices in
> docker container. Docker fails to do so because not all devices are
> allowed in parent VZCT cgroup.
>
> To support docker we must allow writing "a" to devices.allow in CT.
> With this patch if we get "a", we will silently exit without EPERM.
>
> https://jira.sw.ru/browse/PSBM-38691
It is worth mentioning that this patch is a port of PCS6 commit
diff-device_cgroup-fake-allowing-all-devices-for-docker-inside-VZCT
>
> v2: fix bug link, fix comment stile
> Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
> ---
> security/device_cgroup.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 531e40c..9f932d7 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -689,7 +689,14 @@ static int devcgroup_update_access(struct dev_cgroup
> *devcgroup,
> if (has_children(devcgroup))
> return -EINVAL;
>
> - if (!may_allow_all(parent))
> + if (!may_allow_all(parent)) {
> + if (ve_is_super(get_exec_env()))
> + return -EPERM;
> + else
> + /* Fooling docker in CT - silently exit
> */
> + return 0;
> + }
> +
> return -EPERM;
You seem to have forgotten to remove this line.
> dev_exception_clean(devcgroup);
> devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
