[lxc-devel] [lxc/master] Allow full path in lxc.devices.allow

Wed Jul 19 15:35:01 UTC 2017

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 939 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170719/c8513f2d/attachment.bin>
-------------- next part --------------
From 6d35f4fd1de5d0cd1a47bef68f10efe739dd4a97 Mon Sep 17 00:00:00 2001
From: aeris <aeris at imirhil.fr>
Date: Wed, 19 Jul 2017 17:21:24 +0200
Subject: [PATCH] Allow full path in lxc.devices.allow

Some devices like LVM or cryptsetup entries have no stable major/minor, changing between host reboots.
In this case, hardcoded numbers are not usable in config file and there is currently no way to use hook with lxc-device to do the link at guest startup :

    * `pre-start`/`autodev` hook runs in host context but has the guest in stopped state and so lxc-device not usable
    * `start` hook is in running state but runs in guest context and so lxc-device not available

This patch converts fullpath in lxc.devices.allow to current major/minor numbers to address those changing numbers.

Signed-off-by: aeris <aeris at imirhil.fr>
---
 src/lxc/cgroups/cgfsng.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 1192d575f..fb388d908 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -47,6 +47,9 @@
 #include <unistd.h>
 #include <sys/types.h>
 
+#include <linux/types.h>
+#include <linux/kdev_t.h>
+
 #include "bdev.h"
 #include "cgroup.h"
 #include "commands.h"
@@ -1927,12 +1930,62 @@ static int lxc_cgroup_set_data(const char *filename, const char *value, struct c
 	char *subsystem = NULL, *p;
 	int ret = -1;
 	struct hierarchy *h;
+	char converted_value[50];
 
 	subsystem = alloca(strlen(filename) + 1);
 	strcpy(subsystem, filename);
 	if ((p = strchr(subsystem, '.')) != NULL)
 		*p = '\0';
 
+	if (strcmp("devices.allow", filename) == 0 && value[0] == '/') {
+		char *saveptr = NULL;
+		size_t n_parts = 0;
+		char *to_split = strdup(value);
+		while (strtok_r(n_parts ? NULL : to_split, " ", &saveptr) != NULL) {
+			++n_parts;
+		}
+		free(to_split);
+
+		if (n_parts == 2) {
+			char **parts = malloc(sizeof(char*) * n_parts);
+			char *to_split = strdup(value);
+			size_t i;
+			for (i = 0; i < n_parts; ++i) {
+				char *part = strtok_r(i ? NULL : to_split, " ", &saveptr);
+				parts[i] = strdup(part);
+			}
+			free(to_split);
+
+			const char *path = parts[0];
+			const char *mode = parts[1];
+
+			struct stat sb;
+			stat(path, &sb);
+			dev_t dev = sb.st_rdev;
+
+			char type = 0;
+			switch (sb.st_mode & S_IFMT) {
+			case S_IFBLK:
+				type = 'b';
+				break;
+			case S_IFCHR:
+				type = 'c';
+				break;
+			}
+
+			if (!snprintf(converted_value, 50, "%c %lu:%lu %s", type,
+					MAJOR(dev), MINOR(dev), mode)) {
+			}
+
+			for (i = 0; i < n_parts; ++i) {
+				free(parts[i]);
+			}
+			free(parts);
+		}
+	} else {
+		strcpy(converted_value, value);
+	}
+
 	h = get_hierarchy(subsystem);
 	if (h) {
 		char *fullpath = must_make_path(h->fullcgpath, filename, NULL);
