sorry, missed the right list
On 10/16/2015 11:35 AM, Pavel Tikhomirov wrote:
https://jira.sw.ru/browse/PSBM-34529
v2: fix lost EPERM, clarify it is port from rh6
Port RH6 patch:
Author: Pavel Tikhomirov
Email: [email protected]
Subject: device_cgroup: fake allowing all devices for docker inside VZCT
Date: Tue, 25 Aug 2015 10:04:43 +0300
Docker from 1.7.0 tries to add "a" to devices.allow for newly created
privileged container device_cgroup, and thus to allow all devices in
docker container. Docker fails to do so because not all devices are
allowed in parent VZ6CT cgroup.
To support docker we must allow writing "a" to devices.allow in CT.
With this patch if we get "a", we will silently exit without EPERM.
https://jira.sw.ru/browse/PSBM-38691
v2: fix bug link, fix comment stile
Signed-off-by: Pavel Tikhomirov <[email protected]>
---
security/device_cgroup.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 531e40c..0a6d9c4 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -689,8 +689,13 @@ static int devcgroup_update_access(struct dev_cgroup
*devcgroup,
if (has_children(devcgroup))
return -EINVAL;
- if (!may_allow_all(parent))
- return -EPERM;
+ if (!may_allow_all(parent)) {
+ if (ve_is_super(get_exec_env()))
+ return -EPERM;
+ else
+ /* Fooling docker in CT - silently exit
*/
+ return 0;
+ }
dev_exception_clean(devcgroup);
devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
if (!parent)
--
Best regards, Tikhomirov Pavel
Software Developer, Odin.
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel
