mirror/youki
1
0
Fork 0
mirror of https://github.com/containers/youki synced 2024-11-24 01:44:17 +01:00
Code Issues

Move default devices

Browse Source
This commit is contained in:
Furisto 2021-08-25 23:52:14 +02:00
parent b6691c5192
commit 9cc1512de7
7 changed files with 157 additions and 244 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
cgroups/src/common.rs
View File

@ -8,7 +8,7 @@ use std::{
use anyhow::{bail, Context, Result};
use nix::unistd::Pid;
use oci_spec::{FreezerState, LinuxResources};
use oci_spec::{FreezerState, LinuxDevice, LinuxDeviceCgroup, LinuxDeviceType, LinuxResources};
use procfs::process::Process;
#[cfg(feature = "systemd_cgroups")]
use systemd::daemon::booted;
@ -227,3 +227,112 @@ impl PathBufExt for PathBuf {
Ok(PathBuf::from(format!("{}{}", self.display(), p.display())))
}
}
pub(crate) fn default_allow_devices() -> Vec<LinuxDeviceCgroup> {
vec![
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: None,
minor: None,
access: "m".to_string().into(),
},
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::B),
major: None,
minor: None,
access: "m".to_string().into(),
},
// /dev/console
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(5),
minor: Some(1),
access: "rwm".to_string().into(),
},
// /dev/pts
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(136),
minor: None,
access: "rwm".to_string().into(),
},
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(5),
minor: Some(2),
access: "rwm".to_string().into(),
},
// tun/tap
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(10),
minor: Some(200),
access: "rwm".to_string().into(),
},
]
}
pub(crate) fn default_devices() -> Vec<LinuxDevice> {
vec![
LinuxDevice {
path: PathBuf::from("/dev/null"),
typ: LinuxDeviceType::C,
major: 1,
minor: 3,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/zero"),
typ: LinuxDeviceType::C,
major: 1,
minor: 5,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/full"),
typ: LinuxDeviceType::C,
major: 1,
minor: 7,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/tty"),
typ: LinuxDeviceType::C,
major: 5,
minor: 0,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/urandom"),
typ: LinuxDeviceType::C,
major: 1,
minor: 9,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/random"),
typ: LinuxDeviceType::C,
major: 1,
minor: 8,
file_mode: Some(0o066),
uid: None,
gid: None,
},
]
}

121
cgroups/src/v1/devices.rs
View File

@ -1,10 +1,10 @@
use std::path::{Path, PathBuf};
use std::path::Path;
use anyhow::Result;
use super::controller::Controller;
use crate::common;
use oci_spec::{LinuxDevice, LinuxDeviceCgroup, LinuxDeviceType, LinuxResources};
use crate::common::{self, default_allow_devices, default_devices};
use oci_spec::{LinuxDeviceCgroup, LinuxResources};
pub struct Devices {}
@ -21,8 +21,8 @@ impl Controller for Devices {
}
for d in [
Self::default_devices().iter().map(|d| d.into()).collect(),
Self::default_allow_devices(),
default_devices().iter().map(|d| d.into()).collect(),
default_allow_devices(),
]
.concat()
{
@ -49,115 +49,6 @@ impl Devices {
common::write_cgroup_file_str(path, &device.to_string())?;
Ok(())
}
fn default_allow_devices() -> Vec<LinuxDeviceCgroup> {
vec![
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: None,
minor: None,
access: "m".to_string().into(),
},
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::B),
major: None,
minor: None,
access: "m".to_string().into(),
},
// /dev/console
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(5),
minor: Some(1),
access: "rwm".to_string().into(),
},
// /dev/pts
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(136),
minor: None,
access: "rwm".to_string().into(),
},
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(5),
minor: Some(2),
access: "rwm".to_string().into(),
},
// tun/tap
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(10),
minor: Some(200),
access: "rwm".to_string().into(),
},
]
}
pub fn default_devices() -> Vec<LinuxDevice> {
vec![
LinuxDevice {
path: PathBuf::from("/dev/null"),
typ: LinuxDeviceType::C,
major: 1,
minor: 3,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/zero"),
typ: LinuxDeviceType::C,
major: 1,
minor: 5,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/full"),
typ: LinuxDeviceType::C,
major: 1,
minor: 7,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/tty"),
typ: LinuxDeviceType::C,
major: 5,
minor: 0,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/urandom"),
typ: LinuxDeviceType::C,
major: 1,
minor: 9,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/random"),
typ: LinuxDeviceType::C,
major: 1,
minor: 8,
file_mode: Some(0o066),
uid: None,
gid: None,
},
]
}
}
#[cfg(test)]
@ -173,7 +64,7 @@ mod tests {
let tmp =
create_temp_dir("test_set_default_devices").expect("create temp directory for test");
Devices::default_allow_devices().iter().for_each(|d| {
default_allow_devices().iter().for_each(|d| {
// NOTE: We reset the fixtures every iteration because files aren't appended
// so what happens in the tests is you get strange overwrites which can contain
// remaining bytes from the last iteration. Resetting the files more appropriately

6
cgroups/src/v2/controller_type.rs
View File

@ -52,7 +52,5 @@ impl Display for PseudoControllerType {
}
}
pub const PSEUDO_CONTROLLER_TYPES: &[PseudoControllerType] = &[
PseudoControllerType::Devices,
PseudoControllerType::Unified,
];
pub const PSEUDO_CONTROLLER_TYPES: &[PseudoControllerType] =
&[PseudoControllerType::Devices, PseudoControllerType::Unified];

127
cgroups/src/v2/devices/controller.rs
View File

@ -1,13 +1,14 @@
use std::os::unix::io::AsRawFd;
use std::path::{Path, PathBuf};
use std::path::Path;
use anyhow::Result;
use super::*;
use nix::fcntl::OFlag;
use nix::sys::stat::Mode;
use oci_spec::{LinuxDevice, LinuxDeviceCgroup, LinuxDeviceType, LinuxResources};
use oci_spec::{LinuxDeviceCgroup, LinuxResources};
use crate::common::{default_allow_devices, default_devices};
use crate::v2::controller::Controller;
const LICENSE: &'static str = &"Apache";
@ -20,19 +21,22 @@ impl Controller for Devices {
return Ok(());
#[cfg(feature = "cgroupsv2_devices")]
return controller::Devices::apply(linux_resources, cgroup_root);
return Self::apply_devices(cgroup_root, &linux_resources.devices);
}
}
impl Devices {
pub fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()> {
pub fn apply_devices(
cgroup_root: &Path,
linux_devices: &Option<Vec<LinuxDeviceCgroup>>,
) -> Result<()> {
log::debug!("Apply Devices cgroup config");
// FIXME: should we start as "deny all"?
let mut emulator = emulator::Emulator::with_default_allow(false);
// FIXME: apply user-defined and default rules in which order?
if let Some(devices) = linux_resources.devices.as_ref() {
if let Some(devices) = linux_devices {
for d in devices {
log::debug!("apply user defined rule: {:?}", d);
emulator.add_rule(d)?;
@ -40,8 +44,8 @@ impl Devices {
}
for d in [
Self::default_devices().iter().map(|d| d.into()).collect(),
Self::default_allow_devices(),
default_devices().iter().map(|d| d.into()).collect(),
default_allow_devices(),
]
.concat()
{
@ -83,115 +87,6 @@ impl Devices {
Ok(())
}
// FIXME: move to common
fn default_allow_devices() -> Vec<LinuxDeviceCgroup> {
vec![
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: None,
minor: None,
access: "m".to_string().into(),
},
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::B),
major: None,
minor: None,
access: "m".to_string().into(),
},
// /dev/console
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(5),
minor: Some(1),
access: "rwm".to_string().into(),
},
// /dev/pts
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(136),
minor: None,
access: "rwm".to_string().into(),
},
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(5),
minor: Some(2),
access: "rwm".to_string().into(),
},
// tun/tap
LinuxDeviceCgroup {
allow: true,
typ: Some(LinuxDeviceType::C),
major: Some(10),
minor: Some(200),
access: "rwm".to_string().into(),
},
]
}
pub fn default_devices() -> Vec<LinuxDevice> {
vec![
LinuxDevice {
path: PathBuf::from("/dev/null"),
typ: LinuxDeviceType::C,
major: 1,
minor: 3,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/zero"),
typ: LinuxDeviceType::C,
major: 1,
minor: 5,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/full"),
typ: LinuxDeviceType::C,
major: 1,
minor: 7,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/tty"),
typ: LinuxDeviceType::C,
major: 5,
minor: 0,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/urandom"),
typ: LinuxDeviceType::C,
major: 1,
minor: 9,
file_mode: Some(0o066),
uid: None,
gid: None,
},
LinuxDevice {
path: PathBuf::from("/dev/random"),
typ: LinuxDeviceType::C,
major: 1,
minor: 8,
file_mode: Some(0o066),
uid: None,
gid: None,
},
]
}
}
// FIXME: add tests, but how to?

3
cgroups/src/v2/devices/mod.rs
View File

@ -4,6 +4,3 @@ pub mod emulator;
pub mod program;
pub use controller::Devices;

28
cgroups/src/v2/manager.rs
View File

@ -9,7 +9,21 @@ use anyhow::{bail, Result};
use nix::unistd::Pid;
use oci_spec::{FreezerState, LinuxResources};
use super::{controller::Controller, controller_type::{ControllerType, PseudoControllerType, CONTROLLER_TYPES, PSEUDO_CONTROLLER_TYPES}, cpu::Cpu, cpuset::CpuSet, devices::Devices, freezer::Freezer, hugetlb::HugeTlb, io::Io, memory::Memory, pids::Pids, unified::Unified};
use super::{
controller::Controller,
controller_type::{
ControllerType, PseudoControllerType, CONTROLLER_TYPES, PSEUDO_CONTROLLER_TYPES,
},
cpu::Cpu,
cpuset::CpuSet,
devices::Devices,
freezer::Freezer,
hugetlb::HugeTlb,
io::Io,
memory::Memory,
pids::Pids,
unified::Unified,
};
use crate::{
common::{self, CgroupManager, PathBufExt, CGROUP_PROCS},
stats::{Stats, StatsProvider},
@ -122,9 +136,15 @@ impl CgroupManager for Manager {
for pseudoctlr in PSEUDO_CONTROLLER_TYPES {
match pseudoctlr {
PseudoControllerType::Devices => Devices::apply(linux_resources, &self.full_path)?,
PseudoControllerType::Unified => Unified::apply(linux_resources, &self.cgroup_path, self.get_available_controllers()?)?,
}
PseudoControllerType::Devices => {
Devices::apply(linux_resources, &self.cgroup_path)?
}
PseudoControllerType::Unified => Unified::apply(
linux_resources,
&self.cgroup_path,
self.get_available_controllers()?,
)?,
}
}
Ok(())

5
cgroups/src/v2/systemd_manager.rs
View File

@ -8,7 +8,10 @@ use nix::unistd::Pid;
use oci_spec::{FreezerState, LinuxResources};
use std::path::{Path, PathBuf};
use super::{controller::Controller, controller_type::{ControllerType, PseudoControllerType}, cpu::Cpu, cpuset::CpuSet, devices::Devices, freezer::Freezer, hugetlb::HugeTlb, io::Io, memory::Memory, pids::Pids, unified::Unified};
use super::{
controller::Controller, controller_type::ControllerType, cpu::Cpu, cpuset::CpuSet,
devices::Devices, freezer::Freezer, hugetlb::HugeTlb, io::Io, memory::Memory, pids::Pids,
};
use crate::common::{self, CgroupManager, PathBufExt};
use crate::stats::Stats;