We use cookies to ensure you get the best experience on our website
Startseite Erkunden Hilfe
Registrieren Anmelden
0ct0pu5
/
moby
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: debcb76939
Branches Tags
moby
/
oci
/
oci.go

oci.go 2.5 KB
Verlauf Originalformat

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. package oci // import "github.com/docker/docker/oci"
    2. 

  2. 

  3. import (
    4. 

  4. 	"fmt"
    5. 

  5. 	"regexp"
    6. 

  6. 	"strconv"
    7. 

  7. 

  8. 	specs "github.com/opencontainers/runtime-spec/specs-go"
    9. 

  9. )
    10. 

  10. 

  11. // TODO verify if this regex is correct for "a" (all);
    12. 

  12. //
    13. 

  13. // The docs (https://github.com/torvalds/linux/blob/v5.10/Documentation/admin-guide/cgroup-v1/devices.rst) describe:
    14. 

  14. // "'all' means it applies to all types and all major and minor numbers", and shows an example
    15. 

  15. // that *only* passes `a` as value: `echo a > /sys/fs/cgroup/1/devices.allow, which would be
    16. 

  16. // the "implicit" equivalent of "a *:* rwm". Source-code also looks to confirm this, and returns
    17. 

  17. // early for "a" (all); https://github.com/torvalds/linux/blob/v5.10/security/device_cgroup.c#L614-L642
    18. 

  18. var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$") //nolint: gosimple
    19. 

  19. 

  20. // SetCapabilities sets the provided capabilities on the spec
    21. 

  21. // All capabilities are added if privileged is true.
    22. 

  22. func SetCapabilities(s *specs.Spec, caplist []string) error {
    23. 

  23. 	if s.Process == nil {
    24. 

  24. 		s.Process = &specs.Process{}
    25. 

  25. 	}
    26. 

  26. 	s.Process.Capabilities = &specs.LinuxCapabilities{
    27. 

  27. 		Effective: caplist,
    28. 

  28. 		Bounding:  caplist,
    29. 

  29. 		Permitted: caplist,
    30. 

  30. 	}
    31. 

  31. 	return nil
    32. 

  32. }
    33. 

  33. 

  34. // AppendDevicePermissionsFromCgroupRules takes rules for the devices cgroup to append to the default set
    35. 

  35. func AppendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
    36. 

  36. 	for _, deviceCgroupRule := range rules {
    37. 

  37. 		ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
    38. 

  38. 		if len(ss) == 0 || len(ss[0]) != 5 {
    39. 

  39. 			return nil, fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)
    40. 

  40. 		}
    41. 

  41. 		matches := ss[0]
    42. 

  42. 

  43. 		dPermissions := specs.LinuxDeviceCgroup{
    44. 

  44. 			Allow:  true,
    45. 

  45. 			Type:   matches[1],
    46. 

  46. 			Access: matches[4],
    47. 

  47. 		}
    48. 

  48. 		if matches[2] == "*" {
    49. 

  49. 			major := int64(-1)
    50. 

  50. 			dPermissions.Major = &major
    51. 

  51. 		} else {
    52. 

  52. 			major, err := strconv.ParseInt(matches[2], 10, 64)
    53. 

  53. 			if err != nil {
    54. 

  54. 				return nil, fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
    55. 

  55. 			}
    56. 

  56. 			dPermissions.Major = &major
    57. 

  57. 		}
    58. 

  58. 		if matches[3] == "*" {
    59. 

  59. 			minor := int64(-1)
    60. 

  60. 			dPermissions.Minor = &minor
    61. 

  61. 		} else {
    62. 

  62. 			minor, err := strconv.ParseInt(matches[3], 10, 64)
    63. 

  63. 			if err != nil {
    64. 

  64. 				return nil, fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule)
    65. 

  65. 			}
    66. 

  66. 			dPermissions.Minor = &minor
    67. 

  67. 		}
    68. 

  68. 		devPermissions = append(devPermissions, dPermissions)
    69. 

  69. 	}
    70. 

  70. 	return devPermissions, nil
    71. 

  71. }
    72.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5