|
 |
116c32 |
From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001
|
|
|
116c32 |
From: Kir Kolyshkin <kolyshkin@gmail.com>
|
|
|
116c32 |
Date: Wed, 4 May 2022 14:56:16 -0700
|
|
|
116c32 |
Subject: [PATCH] Remove tun/tap from the default device rules
|
|
|
116c32 |
|
|
|
116c32 |
Looking through git blame, this was added by commit 9fac18329
|
|
|
116c32 |
aka "Initial commit of runc binary", most probably by mistake.
|
|
|
116c32 |
|
|
|
116c32 |
Obviously, a container should not have access to tun/tap device, unless
|
|
|
116c32 |
it is explicitly specified in configuration.
|
|
|
116c32 |
|
|
|
116c32 |
Now, removing this might create a compatibility issue, but I see no
|
|
|
116c32 |
other choice.
|
|
|
116c32 |
|
|
|
116c32 |
Aside from the obvious misconfiguration, this should also fix the
|
|
|
116c32 |
annoying
|
|
|
116c32 |
|
|
|
116c32 |
> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory
|
|
|
116c32 |
|
|
|
116c32 |
messages from systemd on every container start, when runc uses systemd
|
|
|
116c32 |
cgroup driver, and the system runs an old (< v240) version of systemd
|
|
|
116c32 |
(the message was presumably eliminated by [1]).
|
|
|
116c32 |
|
|
|
116c32 |
[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7
|
|
|
116c32 |
|
|
|
116c32 |
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
|
|
116c32 |
---
|
|
|
116c32 |
.../ebpf/devicefilter/devicefilter_test.go | 19 ++++++-------------
|
|
|
116c32 |
libcontainer/specconv/spec_linux.go | 10 ----------
|
|
|
116c32 |
2 files changed, 6 insertions(+), 23 deletions(-)
|
|
|
116c32 |
|
|
|
116c32 |
diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
|
|
|
116c32 |
index d279335821..25703be5ad 100644
|
|
|
116c32 |
--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
|
|
|
116c32 |
+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
|
|
|
116c32 |
@@ -120,21 +120,14 @@ block-8:
|
|
|
116c32 |
51: Mov32Imm dst: r0 imm: 1
|
|
|
116c32 |
52: Exit
|
|
|
116c32 |
block-9:
|
|
|
116c32 |
-// tuntap (c, 10, 200, rwm, allow)
|
|
|
116c32 |
+// /dev/pts (c, 136, wildcard, rwm, true)
|
|
|
116c32 |
53: JNEImm dst: r2 off: -1 imm: 2 <block-10>
|
|
|
116c32 |
- 54: JNEImm dst: r4 off: -1 imm: 10 <block-10>
|
|
|
116c32 |
- 55: JNEImm dst: r5 off: -1 imm: 200 <block-10>
|
|
|
116c32 |
- 56: Mov32Imm dst: r0 imm: 1
|
|
|
116c32 |
- 57: Exit
|
|
|
116c32 |
+ 54: JNEImm dst: r4 off: -1 imm: 136 <block-10>
|
|
|
116c32 |
+ 55: Mov32Imm dst: r0 imm: 1
|
|
|
116c32 |
+ 56: Exit
|
|
|
116c32 |
block-10:
|
|
|
116c32 |
-// /dev/pts (c, 136, wildcard, rwm, true)
|
|
|
116c32 |
- 58: JNEImm dst: r2 off: -1 imm: 2 <block-11>
|
|
|
116c32 |
- 59: JNEImm dst: r4 off: -1 imm: 136 <block-11>
|
|
|
116c32 |
- 60: Mov32Imm dst: r0 imm: 1
|
|
|
116c32 |
- 61: Exit
|
|
|
116c32 |
-block-11:
|
|
|
116c32 |
- 62: Mov32Imm dst: r0 imm: 0
|
|
|
116c32 |
- 63: Exit
|
|
|
116c32 |
+ 57: Mov32Imm dst: r0 imm: 0
|
|
|
116c32 |
+ 58: Exit
|
|
|
116c32 |
`
|
|
|
116c32 |
var devices []*devices.Rule
|
|
|
116c32 |
for _, device := range specconv.AllowedDevices {
|
|
|
116c32 |
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
|
|
|
116c32 |
index 5ae95c6c18..83c7a2c348 100644
|
|
|
116c32 |
--- a/libcontainer/specconv/spec_linux.go
|
|
|
116c32 |
+++ b/libcontainer/specconv/spec_linux.go
|
|
|
116c32 |
@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{
|
|
|
116c32 |
Allow: true,
|
|
|
116c32 |
},
|
|
|
116c32 |
},
|
|
|
116c32 |
- // tuntap
|
|
|
116c32 |
- {
|
|
|
116c32 |
- Rule: devices.Rule{
|
|
|
116c32 |
- Type: devices.CharDevice,
|
|
|
116c32 |
- Major: 10,
|
|
|
116c32 |
- Minor: 200,
|
|
|
116c32 |
- Permissions: "rwm",
|
|
|
116c32 |
- Allow: true,
|
|
|
116c32 |
- },
|
|
|
116c32 |
- },
|
|
|
116c32 |
}
|
|
|
116c32 |
|
|
|
116c32 |
type CreateOpts struct {
|