2021-02-02 15:33:40 +08:00
|
|
|
From 82d59974b5fcb0abfa2f488801e7d9ed2f93a718 Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: Li Feng <lifeng2221dd1@zoho.com.cn>
|
|
|
|
|
Date: Sat, 30 Jan 2021 14:22:16 +0800
|
2021-03-23 09:50:40 +08:00
|
|
|
Subject: [PATCH 21/53] spec: add verify for device cgroup access mode
|
2021-02-02 15:33:40 +08:00
|
|
|
|
|
|
|
|
Signed-off-by: Li Feng <lifeng2221dd1@zoho.com.cn>
|
|
|
|
|
---
|
|
|
|
|
src/daemon/modules/spec/verify.c | 27 +++++++++++++++++++++++++++
|
|
|
|
|
src/utils/cutils/utils_verify.c | 26 ++++++++++++++++++++++++--
|
|
|
|
|
2 files changed, 51 insertions(+), 2 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/src/daemon/modules/spec/verify.c b/src/daemon/modules/spec/verify.c
|
|
|
|
|
index 053a57b3..a3156579 100644
|
|
|
|
|
--- a/src/daemon/modules/spec/verify.c
|
|
|
|
|
+++ b/src/daemon/modules/spec/verify.c
|
|
|
|
|
@@ -1064,6 +1064,26 @@ static int adapt_resources_memory(const sysinfo_t *sysinfo, defs_resources_memor
|
|
|
|
|
return adapt_memory_swap(sysinfo, &(memory->limit), &(memory->swap));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+/* verify resources device */
|
|
|
|
|
+static int verify_resources_device(defs_resources *resources)
|
|
|
|
|
+{
|
|
|
|
|
+ int ret = 0;
|
|
|
|
|
+ size_t i = 0;
|
|
|
|
|
+
|
|
|
|
|
+ for (i = 0; i < resources->devices_len; i++) {
|
|
|
|
|
+ if (!util_valid_device_mode(resources->devices[i]->access)) {
|
|
|
|
|
+ ERROR("Invalid device mode \"%s\" for device \"%ld %ld\"", resources->devices[i]->access,
|
|
|
|
|
+ resources->devices[i]->major, resources->devices[i]->minor);
|
|
|
|
|
+ isulad_set_error_message("Invalid device mode \"%s\" for device \"%ld %ld\"", resources->devices[i]->access,
|
|
|
|
|
+ resources->devices[i]->major, resources->devices[i]->minor);
|
|
|
|
|
+ ret = -1;
|
|
|
|
|
+ goto out;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+out:
|
|
|
|
|
+ return ret;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
/* verify linux resources */
|
|
|
|
|
static int verify_linux_resources(const sysinfo_t *sysinfo, defs_resources *resources)
|
|
|
|
|
{
|
|
|
|
|
@@ -1104,6 +1124,13 @@ static int verify_linux_resources(const sysinfo_t *sysinfo, defs_resources *reso
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
+ // device
|
|
|
|
|
+ if (resources->devices != NULL) {
|
|
|
|
|
+ ret = verify_resources_device(resources);
|
|
|
|
|
+ if (ret != 0) {
|
|
|
|
|
+ goto out;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
out:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
diff --git a/src/utils/cutils/utils_verify.c b/src/utils/cutils/utils_verify.c
|
|
|
|
|
index 5a18e664..58191685 100644
|
|
|
|
|
--- a/src/utils/cutils/utils_verify.c
|
|
|
|
|
+++ b/src/utils/cutils/utils_verify.c
|
|
|
|
|
@@ -184,14 +184,36 @@ bool util_validate_socket(const char *socket)
|
|
|
|
|
bool util_valid_device_mode(const char *mode)
|
|
|
|
|
{
|
|
|
|
|
size_t i = 0;
|
|
|
|
|
+ int r_count = 0;
|
|
|
|
|
+ int w_count = 0;
|
|
|
|
|
+ int m_count = 0;
|
|
|
|
|
|
|
|
|
|
if (mode == NULL || !strcmp(mode, "")) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < strlen(mode); i++) {
|
|
|
|
|
- if (mode[i] != 'r' && mode[i] != 'w' && mode[i] != 'm') {
|
|
|
|
|
- return false;
|
|
|
|
|
+ switch (mode[i]) {
|
|
|
|
|
+ case 'r':
|
|
|
|
|
+ if (r_count != 0) {
|
|
|
|
|
+ return false;
|
|
|
|
|
+ }
|
|
|
|
|
+ r_count++;
|
|
|
|
|
+ break;
|
|
|
|
|
+ case 'w':
|
|
|
|
|
+ if (w_count != 0) {
|
|
|
|
|
+ return false;
|
|
|
|
|
+ }
|
|
|
|
|
+ w_count++;
|
|
|
|
|
+ break;
|
|
|
|
|
+ case 'm':
|
|
|
|
|
+ if (m_count != 0) {
|
|
|
|
|
+ return false;
|
|
|
|
|
+ }
|
|
|
|
|
+ m_count++;
|
|
|
|
|
+ break;
|
|
|
|
|
+ default:
|
|
|
|
|
+ return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
2.25.1
|
|
|
|
|
|
