summaryrefslogtreecommitdiff
path: root/src/core/cgroup.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-22 02:47:29 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-22 03:05:34 +0100
commit90060676c442604780634c0a993e3f9c3733f8e6 (patch)
treeb9a4ea6ffee5bcffdf63f3034f7c460f5559c30f /src/core/cgroup.c
parent1620510ada018f1e1f0be114714826f6698501f2 (diff)
cgroup: Extend DeviceAllow= syntax to whitelist groups of devices, not just particular devices nodes
Diffstat (limited to 'src/core/cgroup.c')
-rw-r--r--src/core/cgroup.c86
1 files changed, 85 insertions, 1 deletions
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 707ce470a1..50de02d0ce 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -191,6 +191,82 @@ static int whitelist_device(const char *path, const char *node, const char *acc)
return r;
}
+static int whitelist_major(const char *path, const char *name, char type, const char *acc) {
+ _cleanup_fclose_ FILE *f = NULL;
+ char line[LINE_MAX];
+ bool good = false;
+ int r;
+
+ assert(path);
+ assert(acc);
+ assert(type == 'b' || type == 'c');
+
+ f = fopen("/proc/devices", "re");
+ if (!f) {
+ log_warning("Cannot open /proc/devices to resolve %s (%c): %m", name, type);
+ return -errno;
+ }
+
+ FOREACH_LINE(line, f, goto fail) {
+ char buf[2+DECIMAL_STR_MAX(unsigned)+3+4], *p, *w;
+ unsigned maj;
+
+ truncate_nl(line);
+
+ if (type == 'c' && streq(line, "Character devices:")) {
+ good = true;
+ continue;
+ }
+
+ if (type == 'b' && streq(line, "Block devices:")) {
+ good = true;
+ continue;
+ }
+
+ if (isempty(line)) {
+ good = false;
+ continue;
+ }
+
+ if (!good)
+ continue;
+
+ p = strstrip(line);
+
+ w = strpbrk(p, WHITESPACE);
+ if (!w)
+ continue;
+ *w = 0;
+
+ r = safe_atou(p, &maj);
+ if (r < 0)
+ continue;
+ if (maj <= 0)
+ continue;
+
+ w++;
+ w += strspn(w, WHITESPACE);
+ if (!streq(w, name))
+ continue;
+
+ sprintf(buf,
+ "%c %u:* %s",
+ type,
+ maj,
+ acc);
+
+ r = cg_set_attribute("devices", path, "devices.allow", buf);
+ if (r < 0)
+ log_warning("Failed to set devices.allow on %s: %s", path, strerror(-r));
+ }
+
+ return 0;
+
+fail:
+ log_warning("Failed to read /proc/devices: %m");
+ return -errno;
+}
+
void cgroup_context_apply(CGroupContext *c, CGroupControllerMask mask, const char *path) {
int r;
@@ -306,7 +382,15 @@ void cgroup_context_apply(CGroupContext *c, CGroupControllerMask mask, const cha
continue;
acc[k++] = 0;
- whitelist_device(path, a->path, acc);
+
+ if (startswith(a->path, "/dev/"))
+ whitelist_device(path, a->path, acc);
+ else if (startswith(a->path, "block-"))
+ whitelist_major(path, a->path + 6, 'b', acc);
+ else if (startswith(a->path, "char-"))
+ whitelist_major(path, a->path + 5, 'c', acc);
+ else
+ log_debug("Ignoring device %s while writing cgroup attribute.", a->path);
}
}
}