cgroups: add support for c/r of the devices cgroup

This one is a little big ugly, see comments for details. At some point we should invent a better way to do these special cases, since we have them for freezer, cpuset, and now devices. Perhaps something like fstype, where you can ask the cgroup how to restore itself. Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> CC: Cyrill Gorcunov <gorcunov@openvz.org> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>

cgroups: add support for c/r of the devices cgroup
This one is a little big ugly, see comments for details. At some point we should invent a better way to do these special cases, since we have them for freezer, cpuset, and now devices. Perhaps something like fstype, where you can ask the cgroup how to restore itself. Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> CC: Cyrill Gorcunov <gorcunov@openvz.org> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
c38e1843 · Tycho Andersen · Pavel Emelyanov · a827d386 · c38e1843 · c38e1843
Commit c38e1843 authored Jun 06, 2016 by Tycho Andersen Committed by Pavel Emelyanov Jun 28, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 0 deletions

cgroup-props.c criu/cgroup-props.c +6 -0

cgroup.c criu/cgroup.c +40 -0

No files found.
--- a/criu/cgroup-props.c
+++ b/criu/cgroup-props.c
@@ -480,6 +480,12 @@ static int cgp_parse_builtins(void)
 			" - \"properties\": "
 			"[ "
 				"\"pids.current\" "
+			"]\n"
+		"\"devices\":\n"
+			" - \"strategy\": \"replace\"\n"
+			" - \"properties\": "
+			"[ "
+				"\"devices.list\" "
 			"]\n";

 	return cgp_parse_stream((void *)predefined_stream,

--- a/criu/cgroup.c
+++ b/criu/cgroup.c
@@ -1253,6 +1253,46 @@ static int prepare_cgroup_dir_properties(char *path, int off, CgroupDirEntry **e
 				if (special)
 					continue;

+				/* The devices cgroup must be restored in a
+				 * special way: only the contents of
+				 * devices.list can be read, and it is a
+				 * whitelist of all the devices the cgroup is
+				 * allowed to create. To re-creat this
+				 * whitelist, we first deny everything via
+				 * devices.deny, and then write the list back
+				 * into devices.allow.
+				 */
+				if (!strcmp(e->properties[j]->name, "devices.list")) {
+					CgroupPropEntry *pe = e->properties[j];
+					char *old_val = pe->value, *old_name = pe->name;
+					int ret;
+
+					/* A bit of a fudge here. These are
+					 * write only by owner by default, but
+					 * the container engine could have
+					 * changed the perms. We should come up
+					 * with a better way to restore all of
+					 * this stuff.
+					 */
+					pe->perms->mode = 0200;
+
+					pe->name = "devices.deny";
+					pe->value = "a";
+					ret = restore_cgroup_prop(e->properties[j], path, off2);
+					pe->name = old_name;
+					pe->name = old_val;
+
+					if (ret < 0)
+						return -1;
+
+					pe->name = xstrdup("devices.allow");
+					if (!pe->name) {
+						pe->name = old_name;
+						return -1;
+					}
+					xfree(old_name);
+				}
+
 				if (restore_cgroup_prop(e->properties[j], path, off2) < 0)
 					return -1;
 			}