Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
gitpod-io
GitHub Repository: gitpod-io/gitpod
 Path: blob/main/components/ws-daemon/pkg/cgroup/plugin_fuse_v2.go
2499 views
1
// Copyright (c) 2022 Gitpod GmbH. All rights reserved.

2
// Licensed under the GNU Affero General Public License (AGPL).

3
// See License.AGPL.txt in the project root for license information.

4


5
package cgroup

6


7
import (

8
	"context"

9
	"path/filepath"

10


11
	"github.com/opencontainers/runc/libcontainer/cgroups/ebpf"

12
	"github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter"

13
	"github.com/opencontainers/runc/libcontainer/devices"

14
	"golang.org/x/sys/unix"

15
	"golang.org/x/xerrors"

16


17
	"github.com/gitpod-io/gitpod/common-go/log"

18
	"github.com/gitpod-io/gitpod/ws-daemon/pkg/libcontainer/specconv"

19
)

20


21
var (

22
	fuseDeviceMajor int64 = 10

23
	fuseDeviceMinor int64 = 229

24
)

25


26
type FuseDeviceEnablerV2 struct{}

27


28
func (c *FuseDeviceEnablerV2) Name() string  { return "fuse-device-enabler-v2" }

29
func (c *FuseDeviceEnablerV2) Type() Version { return Version2 }

30


31
func (c *FuseDeviceEnablerV2) Apply(ctx context.Context, opts *PluginOptions) error {

32
	if val, ok := opts.Annotations["gitpod.io/fuse-device"]; ok && val == "false" {

33
		return nil

34
	}

35


36
	fullCgroupPath := filepath.Join(opts.BasePath, opts.CgroupPath)

37
	log.WithField("cgroupPath", fullCgroupPath).Debug("configuring devices")

38


39
	cgroupFD, err := unix.Open(fullCgroupPath, unix.O_DIRECTORY|unix.O_RDONLY|unix.O_CLOEXEC, 0600)

40
	if err != nil {

41
		return xerrors.Errorf("cannot get directory fd for %s: %w", fullCgroupPath, err)

42
	}

43
	defer unix.Close(cgroupFD)

44


45
	insts, license, err := devicefilter.DeviceFilter(composeDeviceRules())

46
	if err != nil {

47
		return xerrors.Errorf("failed to generate device filter: %w", err)

48
	}

49


50
	_, err = ebpf.LoadAttachCgroupDeviceFilter(insts, license, cgroupFD)

51
	if err != nil {

52
		return xerrors.Errorf("failed to attach cgroup device filter: %w", err)

53
	}

54


55
	return nil

56
}

57


58
func composeDeviceRules() []*devices.Rule {

59
	denyAll := devices.Rule{

60
		Type:        'a',

61
		Permissions: "rwm",

62
		Allow:       false,

63
	}

64


65
	allowFuse := devices.Rule{

66
		Type:        'c',

67
		Major:       fuseDeviceMajor,

68
		Minor:       fuseDeviceMinor,

69
		Permissions: "rwm",

70
		Allow:       true,

71
	}

72


73
	deviceRules := make([]*devices.Rule, 0)

74
	deviceRules = append(deviceRules, &denyAll, &allowFuse)

75
	for _, device := range specconv.AllowedDevices {

76
		deviceRules = append(deviceRules, &device.Rule)

77
	}

78


79
	return deviceRules

80
}

81


82