github.com/zhuohuang-hust/src-cbuild@v0.0.0-20230105071821-c7aab3e7c840/mergeCode/runc/libcontainer/cgroups/fs/devices.go (about) 1 // +build linux 2 3 package fs 4 5 import ( 6 "github.com/opencontainers/runc/libcontainer/cgroups" 7 "github.com/opencontainers/runc/libcontainer/configs" 8 "github.com/opencontainers/runc/libcontainer/system" 9 ) 10 11 type DevicesGroup struct { 12 } 13 14 func (s *DevicesGroup) Name() string { 15 return "devices" 16 } 17 18 func (s *DevicesGroup) Apply(d *cgroupData) error { 19 _, err := d.join("devices") 20 if err != nil { 21 // We will return error even it's `not found` error, devices 22 // cgroup is hard requirement for container's security. 23 return err 24 } 25 return nil 26 } 27 28 func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error { 29 if system.RunningInUserNS() { 30 return nil 31 } 32 33 devices := cgroup.Resources.Devices 34 if len(devices) > 0 { 35 for _, dev := range devices { 36 file := "devices.deny" 37 if dev.Allow { 38 file = "devices.allow" 39 } 40 if err := writeFile(path, file, dev.CgroupString()); err != nil { 41 return err 42 } 43 } 44 return nil 45 } 46 if cgroup.Resources.AllowAllDevices != nil { 47 if *cgroup.Resources.AllowAllDevices == false { 48 if err := writeFile(path, "devices.deny", "a"); err != nil { 49 return err 50 } 51 52 for _, dev := range cgroup.Resources.AllowedDevices { 53 if err := writeFile(path, "devices.allow", dev.CgroupString()); err != nil { 54 return err 55 } 56 } 57 return nil 58 } 59 60 if err := writeFile(path, "devices.allow", "a"); err != nil { 61 return err 62 } 63 } 64 65 for _, dev := range cgroup.Resources.DeniedDevices { 66 if err := writeFile(path, "devices.deny", dev.CgroupString()); err != nil { 67 return err 68 } 69 } 70 71 return nil 72 } 73 74 func (s *DevicesGroup) Remove(d *cgroupData) error { 75 return removePath(d.path("devices")) 76 } 77 78 func (s *DevicesGroup) GetStats(path string, stats *cgroups.Stats) error { 79 return nil 80 }