github.com/Heebron/moby@v0.0.0-20221111184709-6eab4f55faf7/oci/oci.go

github.com/Heebron/moby@v0.0.0-20221111184709-6eab4f55faf7/oci/oci.go (about)

     1  package oci // import "github.com/docker/docker/oci"
     2  
     3  import (
     4  	"fmt"
     5  	"regexp"
     6  	"strconv"
     7  
     8  	specs "github.com/opencontainers/runtime-spec/specs-go"
     9  )
    10  
    11  // TODO verify if this regex is correct for "a" (all);
    12  //
    13  // The docs (https://github.com/torvalds/linux/blob/v5.10/Documentation/admin-guide/cgroup-v1/devices.rst) describe:
    14  // "'all' means it applies to all types and all major and minor numbers", and shows an example
    15  // that *only* passes `a` as value: `echo a > /sys/fs/cgroup/1/devices.allow, which would be
    16  // the "implicit" equivalent of "a *:* rwm". Source-code also looks to confirm this, and returns
    17  // early for "a" (all); https://github.com/torvalds/linux/blob/v5.10/security/device_cgroup.c#L614-L642
    18  var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$") //nolint: gosimple
    19  
    20  // SetCapabilities sets the provided capabilities on the spec
    21  // All capabilities are added if privileged is true.
    22  func SetCapabilities(s *specs.Spec, caplist []string) error {
    23  	// setUser has already been executed here
    24  	if s.Process.User.UID == 0 {
    25  		s.Process.Capabilities = &specs.LinuxCapabilities{
    26  			Effective: caplist,
    27  			Bounding:  caplist,
    28  			Permitted: caplist,
    29  		}
    30  	} else {
    31  		// Do not set Effective and Permitted capabilities for non-root users,
    32  		// to match what execve does.
    33  		s.Process.Capabilities = &specs.LinuxCapabilities{
    34  			Bounding: caplist,
    35  		}
    36  	}
    37  	return nil
    38  }
    39  
    40  // AppendDevicePermissionsFromCgroupRules takes rules for the devices cgroup to append to the default set
    41  func AppendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
    42  	for _, deviceCgroupRule := range rules {
    43  		ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
    44  		if len(ss) == 0 || len(ss[0]) != 5 {
    45  			return nil, fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)
    46  		}
    47  		matches := ss[0]
    48  
    49  		dPermissions := specs.LinuxDeviceCgroup{
    50  			Allow:  true,
    51  			Type:   matches[1],
    52  			Access: matches[4],
    53  		}
    54  		if matches[2] == "*" {
    55  			major := int64(-1)
    56  			dPermissions.Major = &major
    57  		} else {
    58  			major, err := strconv.ParseInt(matches[2], 10, 64)
    59  			if err != nil {
    60  				return nil, fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
    61  			}
    62  			dPermissions.Major = &major
    63  		}
    64  		if matches[3] == "*" {
    65  			minor := int64(-1)
    66  			dPermissions.Minor = &minor
    67  		} else {
    68  			minor, err := strconv.ParseInt(matches[3], 10, 64)
    69  			if err != nil {
    70  				return nil, fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule)
    71  			}
    72  			dPermissions.Minor = &minor
    73  		}
    74  		devPermissions = append(devPermissions, dPermissions)
    75  	}
    76  	return devPermissions, nil
    77  }