diff --git a/cgroups/fs/devices.go b/cgroups/fs/devices.go index 16e00b1c..be588d67 100644 --- a/cgroups/fs/devices.go +++ b/cgroups/fs/devices.go @@ -32,6 +32,17 @@ func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error { return err } } + return nil + } + + if err := writeFile(path, "devices.allow", "a"); err != nil { + return err + } + + for _, dev := range cgroup.DeniedDevices { + if err := writeFile(path, "devices.deny", dev.CgroupString()); err != nil { + return err + } } return nil diff --git a/cgroups/fs/devices_test.go b/cgroups/fs/devices_test.go index 18bb1274..f950c1b9 100644 --- a/cgroups/fs/devices_test.go +++ b/cgroups/fs/devices_test.go @@ -17,7 +17,18 @@ var ( FileMode: 0666, }, } - allowedList = "c 1:5 rwm" + allowedList = "c 1:5 rwm" + deniedDevices = []*configs.Device{ + { + Path: "/dev/null", + Type: 'c', + Major: 1, + Minor: 3, + Permissions: "rwm", + FileMode: 0666, + }, + } + deniedList = "c 1:3 rwm" ) func TestDevicesSetAllow(t *testing.T) { @@ -44,3 +55,28 @@ func TestDevicesSetAllow(t *testing.T) { t.Fatal("Got the wrong value, set devices.allow failed.") } } + +func TestDevicesSetDeny(t *testing.T) { + helper := NewCgroupTestUtil("devices", t) + defer helper.cleanup() + + helper.writeFileContents(map[string]string{ + "devices.allow": "a", + }) + + helper.CgroupData.c.AllowAllDevices = true + helper.CgroupData.c.DeniedDevices = deniedDevices + devices := &DevicesGroup{} + if err := devices.Set(helper.CgroupPath, helper.CgroupData.c); err != nil { + t.Fatal(err) + } + + value, err := getCgroupParamString(helper.CgroupPath, "devices.deny") + if err != nil { + t.Fatalf("Failed to parse devices.deny - %s", err) + } + + if value != deniedList { + t.Fatal("Got the wrong value, set devices.deny failed.") + } +} diff --git a/cgroups/systemd/apply_systemd.go b/cgroups/systemd/apply_systemd.go index 6c87eb77..48944302 100644 --- a/cgroups/systemd/apply_systemd.go +++ b/cgroups/systemd/apply_systemd.go @@ -402,6 +402,28 @@ func joinDevices(c *configs.Cgroup, pid int) error { return err } + if !c.AllowAllDevices { + if err := writeFile(path, "devices.deny", "a"); err != nil { + return err + } + for _, dev := range c.AllowedDevices { + if err := writeFile(path, "devices.allow", dev.CgroupString()); err != nil { + return err + } + } + return nil + } + + if err := writeFile(path, "devices.allow", "a"); err != nil { + return err + } + + for _, dev := range c.DeniedDevices { + if err := writeFile(path, "devices.deny", dev.CgroupString()); err != nil { + return err + } + } + return nil } diff --git a/configs/cgroup.go b/configs/cgroup.go index 8a699ac1..f2724375 100644 --- a/configs/cgroup.go +++ b/configs/cgroup.go @@ -19,6 +19,8 @@ type Cgroup struct { AllowedDevices []*Device `json:"allowed_devices"` + DeniedDevices []*Device `json:"denied_devices"` + // Memory limit (in bytes) Memory int64 `json:"memory"`