package oci // import "github.com/docker/docker/oci" import ( "fmt" "regexp" "strconv" specs "github.com/opencontainers/runtime-spec/specs-go" ) // TODO verify if this regex is correct for "a" (all); the docs (https://github.com/torvalds/linux/blob/v5.10/Documentation/admin-guide/cgroup-v1/devices.rst) describe: // "'all' means it applies to all types and all major and minor numbers", and shows an example // that *only* passes `a` as value: `echo a > /sys/fs/cgroup/1/devices.allow, which would be // the "implicit" equivalent of "a *:* rwm". Source-code also looks to confirm this, and returns // early for "a" (all); https://github.com/torvalds/linux/blob/v5.10/security/device_cgroup.c#L614-L642 //nolint: gosimple var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$") // SetCapabilities sets the provided capabilities on the spec // All capabilities are added if privileged is true func SetCapabilities(s *specs.Spec, caplist []string) error { s.Process.Capabilities.Effective = caplist s.Process.Capabilities.Bounding = caplist s.Process.Capabilities.Permitted = caplist s.Process.Capabilities.Inheritable = caplist // setUser has already been executed here // if non root drop capabilities in the way execve does if s.Process.User.UID != 0 { s.Process.Capabilities.Effective = []string{} s.Process.Capabilities.Permitted = []string{} } return nil } // AppendDevicePermissionsFromCgroupRules takes rules for the devices cgroup to append to the default set func AppendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) { for _, deviceCgroupRule := range rules { ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1) if len(ss) == 0 || len(ss[0]) != 5 { return nil, fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule) } matches := ss[0] dPermissions := specs.LinuxDeviceCgroup{ Allow: true, Type: matches[1], Access: matches[4], } if matches[2] == "*" { major := int64(-1) dPermissions.Major = &major } else { major, err := strconv.ParseInt(matches[2], 10, 64) if err != nil { return nil, fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule) } dPermissions.Major = &major } if matches[3] == "*" { minor := int64(-1) dPermissions.Minor = &minor } else { minor, err := strconv.ParseInt(matches[3], 10, 64) if err != nil { return nil, fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule) } dPermissions.Minor = &minor } devPermissions = append(devPermissions, dPermissions) } return devPermissions, nil }