Path: blob/main/components/ws-daemon/pkg/libcontainer/specconv/spec_linux.go
2501 views
// Copyright The libcontainer authors12// Licensed under the Apache License, Version 2.0 (the "License");3// you may not use this file except in compliance with the License.4// You may obtain a copy of the License at56// http://www.apache.org/licenses/LICENSE-2.078// Unless required by applicable law or agreed to in writing, software9// distributed under the License is distributed on an "AS IS" BASIS,10// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.11// See the License for the specific language governing permissions and12// limitations under the License.1314// gpl: Copied from: https://github.com/opencontainers/runc/blob/1f9e36c055b4eb97c38f8aae6ee50ca534962f77/libcontainer/specconv/spec_linux.go#L19215package specconv1617import "github.com/opencontainers/runc/libcontainer/devices"1819// AllowedDevices is the set of devices which are automatically included for20// all containers.21//22// # XXX (cyphar)23//24// This behaviour is at the very least "questionable" (if not outright25// wrong) according to the runtime-spec.26//27// Yes, we have to include certain devices other than the ones the user28// specifies, but several devices listed here are not part of the spec29// (including "mknod for any device"?!). In addition, these rules are30// appended to the user-provided set which means that users *cannot disable31// this behaviour*.32//33// ... unfortunately I'm too scared to change this now because who knows how34// many people depend on this (incorrect and arguably insecure) behaviour.35var AllowedDevices = []*devices.Device{36// allow mknod for any device37{38Rule: devices.Rule{39Type: devices.CharDevice,40Major: devices.Wildcard,41Minor: devices.Wildcard,42Permissions: "m",43Allow: true,44},45},46{47Rule: devices.Rule{48Type: devices.BlockDevice,49Major: devices.Wildcard,50Minor: devices.Wildcard,51Permissions: "m",52Allow: true,53},54},55{56Path: "/dev/null",57FileMode: 0o666,58Uid: 0,59Gid: 0,60Rule: devices.Rule{61Type: devices.CharDevice,62Major: 1,63Minor: 3,64Permissions: "rwm",65Allow: true,66},67},68{69Path: "/dev/random",70FileMode: 0o666,71Uid: 0,72Gid: 0,73Rule: devices.Rule{74Type: devices.CharDevice,75Major: 1,76Minor: 8,77Permissions: "rwm",78Allow: true,79},80},81{82Path: "/dev/full",83FileMode: 0o666,84Uid: 0,85Gid: 0,86Rule: devices.Rule{87Type: devices.CharDevice,88Major: 1,89Minor: 7,90Permissions: "rwm",91Allow: true,92},93},94{95Path: "/dev/tty",96FileMode: 0o666,97Uid: 0,98Gid: 0,99Rule: devices.Rule{100Type: devices.CharDevice,101Major: 5,102Minor: 0,103Permissions: "rwm",104Allow: true,105},106},107{108Path: "/dev/zero",109FileMode: 0o666,110Uid: 0,111Gid: 0,112Rule: devices.Rule{113Type: devices.CharDevice,114Major: 1,115Minor: 5,116Permissions: "rwm",117Allow: true,118},119},120{121Path: "/dev/urandom",122FileMode: 0o666,123Uid: 0,124Gid: 0,125Rule: devices.Rule{126Type: devices.CharDevice,127Major: 1,128Minor: 9,129Permissions: "rwm",130Allow: true,131},132},133// /dev/pts/ - pts namespaces are "coming soon"134{135Rule: devices.Rule{136Type: devices.CharDevice,137Major: 136,138Minor: devices.Wildcard,139Permissions: "rwm",140Allow: true,141},142},143{144Rule: devices.Rule{145Type: devices.CharDevice,146Major: 5,147Minor: 2,148Permissions: "rwm",149Allow: true,150},151},152// tuntap153{154Rule: devices.Rule{155Type: devices.CharDevice,156Major: 10,157Minor: 200,158Permissions: "rwm",159Allow: true,160},161},162}163164165