From 82d59974b5fcb0abfa2f488801e7d9ed2f93a718 Mon Sep 17 00:00:00 2001
From: Li Feng <lifeng2221dd1@zoho.com.cn>
Date: Sat, 30 Jan 2021 14:22:16 +0800
Subject: [PATCH 21/53] spec: add verify for device cgroup access mode

Signed-off-by: Li Feng <lifeng2221dd1@zoho.com.cn>
---
 src/daemon/modules/spec/verify.c | 27 +++++++++++++++++++++++++++
 src/utils/cutils/utils_verify.c  | 26 ++++++++++++++++++++++++--
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/src/daemon/modules/spec/verify.c b/src/daemon/modules/spec/verify.c
index 053a57b3..a3156579 100644
--- a/src/daemon/modules/spec/verify.c
+++ b/src/daemon/modules/spec/verify.c
@@ -1064,6 +1064,26 @@ static int adapt_resources_memory(const sysinfo_t *sysinfo, defs_resources_memor
     return adapt_memory_swap(sysinfo, &(memory->limit), &(memory->swap));
 }
 
+/* verify resources device */
+static int verify_resources_device(defs_resources *resources)
+{
+    int ret = 0;
+    size_t i = 0;
+
+    for (i = 0; i < resources->devices_len; i++) {
+        if (!util_valid_device_mode(resources->devices[i]->access)) {
+            ERROR("Invalid device mode \"%s\" for device \"%ld %ld\"", resources->devices[i]->access,
+                  resources->devices[i]->major, resources->devices[i]->minor);
+            isulad_set_error_message("Invalid device mode \"%s\" for device \"%ld %ld\"", resources->devices[i]->access,
+                                     resources->devices[i]->major, resources->devices[i]->minor);
+            ret = -1;
+            goto out;
+        }
+    }
+out:
+    return ret;
+}
+
 /* verify linux resources */
 static int verify_linux_resources(const sysinfo_t *sysinfo, defs_resources *resources)
 {
@@ -1104,6 +1124,13 @@ static int verify_linux_resources(const sysinfo_t *sysinfo, defs_resources *reso
             goto out;
         }
     }
+    // device
+    if (resources->devices != NULL) {
+        ret = verify_resources_device(resources);
+        if (ret != 0) {
+            goto out;
+        }
+    }
 out:
     return ret;
 }
diff --git a/src/utils/cutils/utils_verify.c b/src/utils/cutils/utils_verify.c
index 5a18e664..58191685 100644
--- a/src/utils/cutils/utils_verify.c
+++ b/src/utils/cutils/utils_verify.c
@@ -184,14 +184,36 @@ bool util_validate_socket(const char *socket)
 bool util_valid_device_mode(const char *mode)
 {
     size_t i = 0;
+    int r_count = 0;
+    int w_count = 0;
+    int m_count = 0;
 
     if (mode == NULL || !strcmp(mode, "")) {
         return false;
     }
 
     for (i = 0; i < strlen(mode); i++) {
-        if (mode[i] != 'r' && mode[i] != 'w' && mode[i] != 'm') {
-            return false;
+        switch (mode[i]) {
+            case 'r':
+                if (r_count != 0) {
+                    return false;
+                }
+                r_count++;
+                break;
+            case 'w':
+                if (w_count != 0) {
+                    return false;
+                }
+                w_count++;
+                break;
+            case 'm':
+                if (m_count != 0) {
+                    return false;
+                }
+                m_count++;
+                break;
+            default:
+                return false;
         }
     }
 
-- 
2.25.1