generate: add --device-access-add and --device-access-remove option

Zhai Zhaoxuan · zhouhao · commit 60c7e7719734 · 2017-08-21T17:15:09.000+08:00
These options allow user to configures the device whitelist.

Signed-off-by: Zhai Zhaoxuan &lt;zhaizx.fnst@cn.fujitsu.com&gt;
diff --git a/cmd/oci-runtime-tool/.generate.go.swp b/cmd/oci-runtime-tool/.generate.go.swp
diff --git a/cmd/oci-runtime-tool/generate.go b/cmd/oci-runtime-tool/generate.go
@@ -18,6 +18,18 @@ import (
 
 var generateFlags = []cli.Flag{
 	cli.StringSliceFlag{Name: "args", Usage: "command to run in the container"},
+<<<<<<< 9e0e42dbf918070406a2a4a2e1476e7350ba9129
+=======
+	cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest[:options...]"},
+	cli.StringSliceFlag{Name: "cap-add", Usage: "add Linux capabilities"},
+	cli.StringSliceFlag{Name: "cap-drop", Usage: "drop Linux capabilities"},
+	cli.StringFlag{Name: "cgroup", Usage: "cgroup namespace"},
+	cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"},
+	cli.StringFlag{Name: "cwd", Value: "/", Usage: "current working directory for the process"},
+	cli.StringSliceFlag{Name: "device-access-add", Usage: "add a device access rule"},
+	cli.StringSliceFlag{Name: "device-access-remove", Usage: "remove a device access rule"},
+	cli.BoolFlag{Name: "disable-oom-kill", Usage: "disable OOM Killer"},
+>>>>>>> generate: add --device-access-add and --device-access-remove option
 	cli.StringSliceFlag{Name: "env", Usage: "add environment variable e.g. key=value"},
 	cli.StringSliceFlag{Name: "env-file", Usage: "read in a file of environment variables"},
 	cli.StringSliceFlag{Name: "hooks-poststart", Usage: "set command to run in poststart hooks"},
@@ -234,8 +246,35 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		g.SetLinuxCgroupsPath(context.String("linux-cgroups-path"))
 	}
 
+<<<<<<< 9e0e42dbf918070406a2a4a2e1476e7350ba9129
 	if context.IsSet("linux-masked-paths") {
 		paths := context.StringSlice("linux-masked-paths")
+=======
+	if context.IsSet("device-access-add") {
+		devices := context.StringSlice("device-access-add")
+		for _, device := range devices {
+			dev, err := parseLinuxResourcesDeviceAccess(device, g)
+			if err != nil {
+				return err
+			}
+			g.AddLinuxResourcesDevice(dev.Allow, dev.Type, dev.Major, dev.Minor, dev.Access)
+		}
+	}
+
+	if context.IsSet("device-access-remove") {
+		devices := context.StringSlice("device-access-remove")
+		for _, device := range devices {
+			dev, err := parseLinuxResourcesDeviceAccess(device, g)
+			if err != nil {
+				return err
+			}
+			g.RemoveLinuxResourcesDevice(dev.Allow, dev.Type, dev.Major, dev.Minor, dev.Access)
+		}
+	}
+
+	if context.IsSet("masked-paths") {
+		paths := context.StringSlice("masked-paths")
+>>>>>>> generate: add --device-access-add and --device-access-remove option
 		for _, path := range paths {
 			g.AddLinuxMaskedPaths(path)
 		}
@@ -811,6 +850,7 @@ func parseRlimit(rlimit string) (string, uint64, uint64, error) {
 	return parts[0], uint64(hard), uint64(soft), nil
 }
 
+<<<<<<< 9e0e42dbf918070406a2a4a2e1476e7350ba9129
 func parseNamespace(ns string) (string, string, error) {
 	parts := strings.SplitN(ns, ":", 2)
 	if len(parts) == 0 || parts[0] == "" {
@@ -904,6 +944,82 @@ func parseDevice(device string, g *generate.Generator) (rspec.LinuxDevice, error
 	}
 
 	return dev, nil
+=======
+var cgroupDeviceType = map[string]bool{
+	"a": true, // all
+	"b": true, // block device
+	"c": true, // character device
+}
+var cgroupDeviceAccess = map[string]bool{
+	"r": true, //read
+	"w": true, //write
+	"m": true, //mknod
+}
+
+// parseLinuxResourcesDeviceAccess parses the raw string passed with the --device-access-add flag
+func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspec.DeviceCgroup, error) {
+	var allow bool
+	var devType, access *string
+	var major, minor *int64
+
+	argsParts := strings.Split(device, ",")
+
+	switch argsParts[0] {
+	case "allow":
+		allow = true
+	case "deny":
+		allow = false
+	default:
+		return rspec.DeviceCgroup{},
+			fmt.Errorf("Only 'allow' and 'deny' are allowed in the first field of device-access-add: %s", device)
+	}
+
+	for _, s := range argsParts[1:] {
+		s = strings.TrimSpace(s)
+		if s == "" {
+			continue
+		}
+		parts := strings.SplitN(s, "=", 2)
+		if len(parts) != 2 {
+			return rspec.DeviceCgroup{}, fmt.Errorf("Incomplete device-access-add arguments: %s", s)
+		}
+		name, value := parts[0], parts[1]
+
+		switch name {
+		case "type":
+			if !cgroupDeviceType[value] {
+				return rspec.DeviceCgroup{}, fmt.Errorf("Invalid device type in device-access-add: %s", value)
+			}
+			devType = &value
+		case "major":
+			i, err := strconv.ParseInt(value, 10, 64)
+			if err != nil {
+				return rspec.DeviceCgroup{}, err
+			}
+			major = &i
+		case "minor":
+			i, err := strconv.ParseInt(value, 10, 64)
+			if err != nil {
+				return rspec.DeviceCgroup{}, err
+			}
+			minor = &i
+		case "access":
+			for _, c := range strings.Split(value, "") {
+				if !cgroupDeviceAccess[c] {
+					return rspec.DeviceCgroup{}, fmt.Errorf("Invalid device access in device-access-add: %s", c)
+				}
+			}
+			access = &value
+		}
+	}
+	return rspec.DeviceCgroup{
+		Allow:  allow,
+		Type:   devType,
+		Major:  major,
+		Minor:  minor,
+		Access: access,
+	}, nil
+>>>>>>> generate: add --device-access-add and --device-access-remove option
 }
 
 func addSeccomp(context *cli.Context, g *generate.Generator) error {
diff --git a/generate/generate.go b/generate/generate.go
@@ -1135,6 +1135,7 @@ func (g *Generator) RemoveLinuxNamespace(ns string) error {
 	return nil
 }
 
+<<<<<<< 9e0e42dbf918070406a2a4a2e1476e7350ba9129
 // AddDevice - add a device into g.spec.Linux.Devices
 func (g *Generator) AddDevice(device rspec.LinuxDevice) {
 	g.initSpecLinux()
@@ -1174,6 +1175,39 @@ func (g *Generator) ClearLinuxDevices() {
 	}
 
 	g.spec.Linux.Devices = []rspec.LinuxDevice{}
+=======
+// AddLinuxResourcesDevice - add a device into g.spec.Linux.Resources.Devices
+func (g *Generator) AddLinuxResourcesDevice(allow bool, devType *string, major, minor *int64, access *string) {
+	g.initSpecLinuxResources()
+
+	device := rspec.DeviceCgroup{
+		Allow:  allow,
+		Type:   devType,
+		Access: access,
+		Major:  major,
+		Minor:  minor,
+	}
+	g.spec.Linux.Resources.Devices = append(g.spec.Linux.Resources.Devices, device)
+}
+
+// RemoveLinuxResourcesDevice - remove a device from g.spec.Linux.Resources.Devices
+func (g *Generator) RemoveLinuxResourcesDevice(allow bool, devType *string, major, minor *int64, access *string) {
+	if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil {
+		return
+	}
+	for i, device := range g.spec.Linux.Resources.Devices {
+		if device.Allow == allow &&
+			(devType == device.Type || (devType != nil && device.Type != nil && *devType == *device.Type)) &&
+			(access == device.Access || (access != nil && device.Access != nil && *access == *device.Access)) &&
+			(major == device.Major || (major != nil && device.Major != nil && *major == *device.Major)) &&
+			(minor == device.Minor || (minor != nil && device.Minor != nil && *minor == *device.Minor)) {
+
+			g.spec.Linux.Resources.Devices = append(g.spec.Linux.Resources.Devices[:i], g.spec.Linux.Resources.Devices[i+1:]...)
+			return
+		}
+	}
+	return
+>>>>>>> generate: add --device-access-add and --device-access-remove option
 }
 
 // strPtr returns the pointer pointing to the string s.
