From: Serge Hallyn Date: Mon, 7 Mar 2016 19:16:43 +0000 (-0800) Subject: cgfsng - remove the code checking whether devices cgroup lines are already done X-Git-Tag: lxc-2.0.0.rc6~1^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aca7dc6feccdeeb519063ede4bd241ee86576c4c;p=thirdparty%2Flxc.git cgfsng - remove the code checking whether devices cgroup lines are already done We may need to revert this, but I *think* we no longer need this with default configs. The idea iirc was that if caller cannot write to devices.allow (i.e. is in a user namespace), then ignore permission failures if the cgroups are already sufficiently setup. Signed-off-by: Serge Hallyn --- diff --git a/src/lxc/cgfsng.c b/src/lxc/cgfsng.c index 123303502..c3ab39679 100644 --- a/src/lxc/cgfsng.c +++ b/src/lxc/cgfsng.c @@ -1323,53 +1323,6 @@ static int cgfsng_set(const char *filename, const char *value, const char *name, return ret; } -/* - * Check whether a container already has a particular rule, as otherwise - * may end up with spurious permission errors. - */ -static bool cgroup_devices_has_allow_or_deny(struct cgfsng_handler_data *d, - char *v, bool for_allow, char *path) -{ - FILE *devices_list; - char *line = NULL; - size_t sz = 0; - bool ret = !for_allow; - - /* if it's a deny rule and container has all devices, then it doesn't - * yet have the deny rule */ - if (!for_allow && strcmp(v, "a") != 0 && strcmp(v, "a *:* rwm") != 0) - return false; - - devices_list = fopen_cloexec(path, "r"); - if (!devices_list) { - free(path); - return false; - } - - while (getline(&line, &sz, devices_list) != -1) { - size_t len = strlen(line); - if (len > 0 && line[len-1] == '\n') - line[len-1] = '\0'; - if (strcmp(line, "a *:* rwm") == 0) { - /* if container has all access and we're adding allow rule, - * then already has it; if it has all access and we're - * adding a deny rule, then it does not. */ - ret = for_allow; - goto out; - } else if (for_allow && strcmp(line, v) == 0) { - /* if the line is there verbatim and it is an - * allow rule, then it already has it */ - ret = true; - goto out; - } - } - -out: - fclose(devices_list); - free(line); - return ret; -} - /* * Called from setup_limits - here we have the container's cgroup_data because * we created the cgroups @@ -1425,12 +1378,6 @@ static bool cgfsng_setup_limits(void *hdata, struct lxc_list *cgroup_settings, cg = iterator->elem; if (do_devices == !strncmp("devices", cg->subsystem, 7)) { - if (strcmp(cg->subsystem, "devices.deny") == 0 && - cgroup_devices_has_allow_or_deny(d, cg->value, false, listpath)) - continue; - if (strcmp(cg->subsystem, "devices.allow") == 0 && - cgroup_devices_has_allow_or_deny(d, cg->value, true, listpath)) - continue; if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) { if (do_devices && (errno == EACCES || errno == EPERM)) { WARN("Error setting %s to %s for %s",