github.com/zhuohuang-hust/src-cbuild@v0.0.0-20230105071821-c7aab3e7c840/mergeCode/runc/libcontainer/cgroups/fs/devices.go (about)

     1  // +build linux
     2  
     3  package fs
     4  
     5  import (
     6  	"github.com/opencontainers/runc/libcontainer/cgroups"
     7  	"github.com/opencontainers/runc/libcontainer/configs"
     8  	"github.com/opencontainers/runc/libcontainer/system"
     9  )
    10  
    11  type DevicesGroup struct {
    12  }
    13  
    14  func (s *DevicesGroup) Name() string {
    15  	return "devices"
    16  }
    17  
    18  func (s *DevicesGroup) Apply(d *cgroupData) error {
    19  	_, err := d.join("devices")
    20  	if err != nil {
    21  		// We will return error even it's `not found` error, devices
    22  		// cgroup is hard requirement for container's security.
    23  		return err
    24  	}
    25  	return nil
    26  }
    27  
    28  func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
    29  	if system.RunningInUserNS() {
    30  		return nil
    31  	}
    32  
    33  	devices := cgroup.Resources.Devices
    34  	if len(devices) > 0 {
    35  		for _, dev := range devices {
    36  			file := "devices.deny"
    37  			if dev.Allow {
    38  				file = "devices.allow"
    39  			}
    40  			if err := writeFile(path, file, dev.CgroupString()); err != nil {
    41  				return err
    42  			}
    43  		}
    44  		return nil
    45  	}
    46  	if cgroup.Resources.AllowAllDevices != nil {
    47  		if *cgroup.Resources.AllowAllDevices == false {
    48  			if err := writeFile(path, "devices.deny", "a"); err != nil {
    49  				return err
    50  			}
    51  
    52  			for _, dev := range cgroup.Resources.AllowedDevices {
    53  				if err := writeFile(path, "devices.allow", dev.CgroupString()); err != nil {
    54  					return err
    55  				}
    56  			}
    57  			return nil
    58  		}
    59  
    60  		if err := writeFile(path, "devices.allow", "a"); err != nil {
    61  			return err
    62  		}
    63  	}
    64  
    65  	for _, dev := range cgroup.Resources.DeniedDevices {
    66  		if err := writeFile(path, "devices.deny", dev.CgroupString()); err != nil {
    67  			return err
    68  		}
    69  	}
    70  
    71  	return nil
    72  }
    73  
    74  func (s *DevicesGroup) Remove(d *cgroupData) error {
    75  	return removePath(d.path("devices"))
    76  }
    77  
    78  func (s *DevicesGroup) GetStats(path string, stats *cgroups.Stats) error {
    79  	return nil
    80  }