func setDevices(s *specs.Spec, c *container.Container) error { // Build lists of devices allowed and created within the container. var devs []specs.Device devPermissions := s.Linux.Resources.Devices if c.HostConfig.Privileged { hostDevices, err := devices.HostDevices() if err != nil { return err } for _, d := range hostDevices { devs = append(devs, specDevice(d)) } rwm := "rwm" devPermissions = []specs.DeviceCgroup{ { Allow: true, Access: &rwm, }, } } else { for _, deviceMapping := range c.HostConfig.Devices { d, dPermissions, err := getDevicesFromPath(deviceMapping) if err != nil { return err } devs = append(devs, d...) devPermissions = append(devPermissions, dPermissions...) } } s.Linux.Devices = append(s.Linux.Devices, devs...) s.Linux.Resources.Devices = devPermissions return nil }
func setDevices(s *specs.Spec, c *container.Container) error { // Build lists of devices allowed and created within the container. var devs []specs.Device if c.HostConfig.Privileged { hostDevices, err := devices.HostDevices() if err != nil { return err } for _, d := range hostDevices { devs = append(devs, specDevice(d)) } } else { for _, deviceMapping := range c.HostConfig.Devices { d, err := getDevicesFromPath(deviceMapping) if err != nil { return err } devs = append(devs, d...) } } s.Linux.Devices = append(s.Linux.Devices, devs...) return nil }
func (d *Driver) setPrivileged(container *configs.Config) (err error) { container.Capabilities = execdriver.GetAllCapabilities() container.Cgroups.AllowAllDevices = true hostDevices, err := devices.HostDevices() if err != nil { return err } container.Devices = hostDevices if apparmor.IsEnabled() { container.AppArmorProfile = "unconfined" } return nil }
func parseDevices(config *specs.Spec, hc *containertypes.HostConfig) error { if hc.Privileged { hostDevices, err := devices.HostDevices() if err != nil { return fmt.Errorf("getting host devices for privileged mode failed: %v", err) } for _, d := range hostDevices { t := string(d.Type) config.Linux.Devices = append(config.Linux.Devices, specs.Device{ Type: t, Path: d.Path, Major: d.Major, Minor: d.Minor, FileMode: &d.FileMode, UID: &d.Uid, GID: &d.Gid, }) config.Linux.Resources.Devices = append(config.Linux.Resources.Devices, specs.DeviceCgroup{ Allow: true, Type: &t, Major: &d.Major, Minor: &d.Minor, Access: &d.Permissions, }) } return nil } var userSpecifiedDevices []specs.Device var userSpecifiedDeviceCgroup []specs.DeviceCgroup for _, deviceMapping := range hc.Devices { if deviceMapping.PathInContainer == "/dev/tty" && !config.Process.Terminal { continue } devs, dc, err := getDevicesFromPath(deviceMapping) if err != nil { return err } userSpecifiedDevices = append(userSpecifiedDevices, devs...) userSpecifiedDeviceCgroup = append(userSpecifiedDeviceCgroup, dc...) } config.Linux.Devices, config.Linux.Resources.Devices = mergeDevices(configs.DefaultSimpleDevices, userSpecifiedDevices, userSpecifiedDeviceCgroup, config.Process.Terminal) return nil }
func parseDevices(config *specs.LinuxRuntimeSpec, hc *containertypes.HostConfig) error { if hc.Privileged { hostDevices, err := devices.HostDevices() if err != nil { return fmt.Errorf("getting host devices for privileged mode failed: %v", err) } for _, d := range hostDevices { config.Linux.Devices = append(config.Linux.Devices, specs.Device{ Type: d.Type, Path: d.Path, Major: d.Major, Minor: d.Minor, Permissions: d.Permissions, FileMode: d.FileMode, UID: d.Uid, GID: d.Gid, }) } return nil } var userSpecifiedDevices []specs.Device for _, deviceMapping := range hc.Devices { devs, err := getDevicesFromPath(deviceMapping) if err != nil { return err } userSpecifiedDevices = append(userSpecifiedDevices, devs...) } config.Linux.Devices = mergeDevices(configs.DefaultSimpleDevices, userSpecifiedDevices) return nil }