-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Move cgroup device controller to a module
- Loading branch information
Showing
5 changed files
with
132 additions
and
47 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
use anyhow::{ensure, Result}; | ||
use std::path::PathBuf; | ||
|
||
// The numerical representation below needs to match BPF_DEVCG constants. | ||
#[allow(unused)] | ||
#[repr(u32)] | ||
pub enum DeviceType { | ||
Block = 1, | ||
Character = 2, | ||
} | ||
|
||
bitflags::bitflags! { | ||
pub struct Access: u32 { | ||
const MKNOD = 1; | ||
const READ = 2; | ||
const WRITE = 4; | ||
} | ||
} | ||
|
||
pub trait DeviceAccessController { | ||
/// Set the permission for a specific device. | ||
fn set_permission( | ||
&mut self, | ||
ty: DeviceType, | ||
major: u32, | ||
minor: u32, | ||
access: Access, | ||
) -> Result<()>; | ||
} | ||
|
||
pub struct DeviceAccessControllerV1 { | ||
cgroup: PathBuf, | ||
} | ||
|
||
impl DeviceAccessControllerV1 { | ||
pub fn new(id: &str) -> Result<Self> { | ||
let cgroup: PathBuf = format!("/sys/fs/cgroup/devices/docker/{id}").into(); | ||
|
||
ensure!( | ||
cgroup.is_dir(), | ||
"cgroup {} does not exist", | ||
cgroup.display() | ||
); | ||
|
||
Ok(Self { cgroup }) | ||
} | ||
} | ||
|
||
impl DeviceAccessController for DeviceAccessControllerV1 { | ||
fn set_permission( | ||
&mut self, | ||
ty: DeviceType, | ||
major: u32, | ||
minor: u32, | ||
access: Access, | ||
) -> Result<()> { | ||
let mut denied = String::with_capacity(3); | ||
let mut allowed = String::with_capacity(3); | ||
|
||
let ty = match ty { | ||
DeviceType::Character => 'c', | ||
DeviceType::Block => 'b', | ||
}; | ||
|
||
if access.contains(Access::READ) { | ||
allowed.push('r'); | ||
} else { | ||
denied.push('r'); | ||
} | ||
|
||
if access.contains(Access::WRITE) { | ||
allowed.push('w'); | ||
} else { | ||
denied.push('w'); | ||
} | ||
|
||
if access.contains(Access::MKNOD) { | ||
allowed.push('m'); | ||
} else { | ||
denied.push('m'); | ||
} | ||
|
||
if !denied.is_empty() { | ||
std::fs::write( | ||
self.cgroup.join("devices.deny"), | ||
format!("{ty} {major}:{minor} {denied}"), | ||
)?; | ||
} | ||
|
||
if !allowed.is_empty() { | ||
std::fs::write( | ||
self.cgroup.join("devices.allow"), | ||
format!("{ty} {major}:{minor} {allowed}"), | ||
)?; | ||
} | ||
|
||
Ok(()) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
mod cgroup; | ||
mod container; | ||
mod docker; | ||
mod iostream; | ||
|