func setDevices(s *specs.Spec, c *container.Container) error {
// Build lists of devices allowed and created within the container.
var devs []specs.Device
devPermissions := s.Linux.Resources.Devices
if c.HostConfig.Privileged {
hostDevices, err := devices.HostDevices()
if err != nil {
return err
}
for _, d := range hostDevices {
devs = append(devs, specDevice(d))
}
rwm := "rwm"
devPermissions = []specs.DeviceCgroup{
{
Allow: true,
Access: &rwm,
},
}
} else {
for _, deviceMapping := range c.HostConfig.Devices {
d, dPermissions, err := getDevicesFromPath(deviceMapping)
if err != nil {
return err
}
devs = append(devs, d...)
devPermissions = append(devPermissions, dPermissions...)
}
}
s.Linux.Devices = append(s.Linux.Devices, devs...)
s.Linux.Resources.Devices = devPermissions
return nil
}
func setDevices(s *specs.Spec, c *container.Container) error {
// Build lists of devices allowed and created within the container.
var devs []specs.Device
if c.HostConfig.Privileged {
hostDevices, err := devices.HostDevices()
if err != nil {
return err
}
for _, d := range hostDevices {
devs = append(devs, specDevice(d))
}
} else {
for _, deviceMapping := range c.HostConfig.Devices {
d, err := getDevicesFromPath(deviceMapping)
if err != nil {
return err
}
devs = append(devs, d...)
}
}
s.Linux.Devices = append(s.Linux.Devices, devs...)
return nil
}
func (d *Driver) setPrivileged(container *configs.Config) (err error) {
container.Capabilities = execdriver.GetAllCapabilities()
container.Cgroups.AllowAllDevices = true
hostDevices, err := devices.HostDevices()
if err != nil {
return err
}
container.Devices = hostDevices
if apparmor.IsEnabled() {
container.AppArmorProfile = "unconfined"
}
return nil
}
func parseDevices(config *specs.Spec, hc *containertypes.HostConfig) error {
if hc.Privileged {
hostDevices, err := devices.HostDevices()
if err != nil {
return fmt.Errorf("getting host devices for privileged mode failed: %v", err)
}
for _, d := range hostDevices {
t := string(d.Type)
config.Linux.Devices = append(config.Linux.Devices, specs.Device{
Type: t,
Path: d.Path,
Major: d.Major,
Minor: d.Minor,
FileMode: &d.FileMode,
UID: &d.Uid,
GID: &d.Gid,
})
config.Linux.Resources.Devices = append(config.Linux.Resources.Devices, specs.DeviceCgroup{
Allow: true,
Type: &t,
Major: &d.Major,
Minor: &d.Minor,
Access: &d.Permissions,
})
}
return nil
}
var userSpecifiedDevices []specs.Device
var userSpecifiedDeviceCgroup []specs.DeviceCgroup
for _, deviceMapping := range hc.Devices {
if deviceMapping.PathInContainer == "/dev/tty" && !config.Process.Terminal {
continue
}
devs, dc, err := getDevicesFromPath(deviceMapping)
if err != nil {
return err
}
userSpecifiedDevices = append(userSpecifiedDevices, devs...)
userSpecifiedDeviceCgroup = append(userSpecifiedDeviceCgroup, dc...)
}
config.Linux.Devices, config.Linux.Resources.Devices = mergeDevices(configs.DefaultSimpleDevices, userSpecifiedDevices, userSpecifiedDeviceCgroup, config.Process.Terminal)
return nil
}
func parseDevices(config *specs.LinuxRuntimeSpec, hc *containertypes.HostConfig) error {
if hc.Privileged {
hostDevices, err := devices.HostDevices()
if err != nil {
return fmt.Errorf("getting host devices for privileged mode failed: %v", err)
}
for _, d := range hostDevices {
config.Linux.Devices = append(config.Linux.Devices, specs.Device{
Type: d.Type,
Path: d.Path,
Major: d.Major,
Minor: d.Minor,
Permissions: d.Permissions,
FileMode: d.FileMode,
UID: d.Uid,
GID: d.Gid,
})
}
return nil
}
var userSpecifiedDevices []specs.Device
for _, deviceMapping := range hc.Devices {
devs, err := getDevicesFromPath(deviceMapping)
if err != nil {
return err
}
userSpecifiedDevices = append(userSpecifiedDevices, devs...)
}
config.Linux.Devices = mergeDevices(configs.DefaultSimpleDevices, userSpecifiedDevices)
return nil
}