Allow non-privileged containers to create device nodes.

Such nodes could already be created by importing a tarball to a container; now they can be created from within the container itself. This gives non-privileged containers the mknod kernel capability, and modifies their cgroup settings to allow creation of *any* node, not just whitelisted ones. Use of such nodes is still controlled by the existing cgroup whitelist. Docker-DCO-1.1-Signed-off-by: Kevin Wallace <kevin@pentabarf.net> (github: kevinwallace)
2022-11-09 12:21:53 -05:00 · 2013-12-01 15:27:24 -08:00 · 2013-12-01 15:27:24 -08:00 · c94111b619
commit c94111b619
parent 5844920185
5 changed files with 12 additions and 6 deletions
--- a/integration/container_test.go
+++ b/integration/container_test.go
@ -1619,16 +1619,16 @@ func TestPrivilegedCanMount(t *testing.T) {
 	}
 }

-func TestPrivilegedCannotMknod(t *testing.T) {
+func TestUnprivilegedCanMknod(t *testing.T) {
 	eng := NewTestEngine(t)
 	runtime := mkRuntimeFromEngine(eng, t)
 	defer runtime.Nuke()
-	if output, _ := runContainer(eng, runtime, []string{"_", "sh", "-c", "mknod /tmp/sda b 8 0 || echo ok"}, t); output != "ok\n" {
-		t.Fatal("Could mknod into secure container")
+	if output, _ := runContainer(eng, runtime, []string{"_", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok"}, t); output != "ok\n" {
+		t.Fatal("Couldn't mknod into secure container")
 	}
 }

-func TestPrivilegedCannotMount(t *testing.T) {
+func TestUnprivilegedCannotMount(t *testing.T) {
 	eng := NewTestEngine(t)
 	runtime := mkRuntimeFromEngine(eng, t)
 	defer runtime.Nuke()
--- a/pkg/cgroups/apply_raw.go
+++ b/pkg/cgroups/apply_raw.go
@ -95,6 +95,10 @@ func (raw *rawCgroup) setupDevices(c *Cgroup, pid int) (err error) {
 		}

 		allow := []string{
+			// allow mknod for any device
+			"c *:* m",
+			"b *:* m",
+
 			// /dev/null, zero, full
 			"c 1:3 rwm",
 			"c 1:5 rwm",
--- a/runtime/execdriver/lxc/init.go
+++ b/runtime/execdriver/lxc/init.go
@ -144,7 +144,6 @@ func setupCapabilities(args *execdriver.InitArgs) error {
 		capability.CAP_SYS_RESOURCE,
 		capability.CAP_SYS_TIME,
 		capability.CAP_SYS_TTY_CONFIG,
-		capability.CAP_MKNOD,
 		capability.CAP_AUDIT_WRITE,
 		capability.CAP_AUDIT_CONTROL,
 		capability.CAP_MAC_OVERRIDE,
--- a/runtime/execdriver/lxc/lxc_template.go
+++ b/runtime/execdriver/lxc/lxc_template.go
@ -44,6 +44,10 @@ lxc.cgroup.devices.allow = a
 # no implicit access to devices
 lxc.cgroup.devices.deny = a

+# but allow mknod for any device
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+
 # /dev/null and zero
 lxc.cgroup.devices.allow = c 1:3 rwm
 lxc.cgroup.devices.allow = c 1:5 rwm
--- a/runtime/execdriver/native/template/default_template.go
+++ b/runtime/execdriver/native/template/default_template.go
@ -18,7 +18,6 @@ func New() *libcontainer.Container {
 			libcontainer.GetCapability("SYS_RESOURCE"),
 			libcontainer.GetCapability("SYS_TIME"),
 			libcontainer.GetCapability("SYS_TTY_CONFIG"),
-			libcontainer.GetCapability("MKNOD"),
 			libcontainer.GetCapability("AUDIT_WRITE"),
 			libcontainer.GetCapability("AUDIT_CONTROL"),
 			libcontainer.GetCapability("MAC_OVERRIDE"),