vbatts/mod_hello
1
0
Fork 0
Code Issues Pull requests Releases Activity

document the device permissions

Browse source
This commit is contained in:
Vincent Batts 2017-11-05 20:51:37 -05:00
parent 45eeea4c68
commit 42a4d8e62b
4 changed files with 273 additions and 2556 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
README.md
View file

@ -33,20 +33,38 @@ $> sudo dmesg | tail -1
### Container ### Container
Running ioctl's inside containers is a little tricky.
Assuming we've already `insmod` the module above: Assuming we've already `insmod` the module above:
```shell ```shell
sudo docker run -it --rm -v $(pwd)/helloctl/helloctl:/usr/bin/helloctl:ro -v /dev/helloctl:/dev/helloctl:ro fedora /usr/bin/helloctl sudo docker run -it --rm -v $(pwd)/helloctl/helloctl:/usr/bin/helloctl:ro --device /dev/helloctl fedora /usr/bin/helloctl
``` ```
You'll get a failure `Could not open /dev/helloctl` Now `dmesg | tail` will reflect the command ran successfully, but at the sake of running an non-isolated container.
### runc
Determining major/minor for setting permissions requires inserting the module, then collecting the major/minor device, and putting that to a runc `config.json`.
```shell ```shell
sudo docker run -it --rm -v $(pwd)/helloctl/helloctl:/usr/bin/helloctl:ro -v /dev/helloctl:/dev/helloctl:ro --privileged fedora /usr/bin/helloctl $> stat -c "%t %T" /dev/helloctl
a 39
$> echo "$((16#$(stat -c "%t" /dev/helloctl )))"
10
$> echo "$((16#$(stat -c "%T" /dev/helloctl )))"
57
``` ```
Now `dmesg | tail` will reflect the command ran successfully. Now in the `config.json`, under `linux.resources.devices`, that array, it needs the following with the major/minor integers from your `/dev/helloctl`:
```json
{
"allow": true,
"type": "c",
"major": 10,
"minor": 57,
"access": "rwm"
},
```
### cleanup ### cleanup

243
config-eperm.json
View file

@ -1,243 +0,0 @@
{
"ociVersion": "1.0.0-rc2-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"terminal": true,
"consoleSize": {
"height": 0,
"width": 0
},
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/usr/bin/strace", "/usr/bin/helloctl"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=helloctl",
"TERM=xterm",
"DISTTAG=f26container",
"FGC=f26"
],
"cwd": "/",
"capabilities": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
"CAP_SYS_PTRACE"
]
},
"root": {
"path": "./rootfs/"
},
"hostname": "helloctl",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"ro",
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev/helloctl",
"type": "bind",
"source": "/dev/helloctl",
"options": [
"rbind",
"ro",
"rprivate"
]
},
{
"destination": "/usr/bin/helloctl",
"type": "bind",
"source": "./helloctl/helloctl",
"options": [
"rbind",
"ro",
"rprivate"
]
}
],
"hooks": {
"prestart": [ ],
"poststop": [ ]
},
"linux": {
"resources": {
"devices": [
{
"allow": false,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 1,
"minor": 5,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 1,
"minor": 3,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 1,
"minor": 9,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 1,
"minor": 8,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 5,
"minor": 0,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 5,
"minor": 1,
"access": "rwm"
},
{
"allow": false,
"type": "c",
"major": 10,
"minor": 229,
"access": "rwm"
}
],
"disableOOMKiller": false,
"oomScoreAdj": 0,
"cpu": {},
"pids": {
"limit": 0
},
"blockIO": {
"blkioWeight": 0
}
},
"cgroupsPath": "system.slice:docker:8ad3dfde3644481046eace9cd586600f0416d3c43b4b9f4cc161c470859c0e17",
"namespaces": [
{
"type": "mount"
},
{
"type": "network"
},
{
"type": "uts"
},
{
"type": "pid"
},
{
"type": "ipc"
}
],
"maskedPaths": [
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware"
],
"readonlyPaths": [
"/proc/asound",
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}
}

2307
config-privileged.json
View file

File diff suppressed because it is too large Load diff

1
config.json
View file

@ -1 +0,0 @@
config-eperm.json

250
config.json Normal file
View file

@ -0,0 +1,250 @@
{
"ociVersion": "1.0.0-rc2-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"terminal": true,
"consoleSize": {
"height": 0,
"width": 0
},
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/usr/bin/helloctl"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=helloctl",
"TERM=xterm",
"DISTTAG=f26container",
"FGC=f26"
],
"cwd": "/",
"capabilities": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
"CAP_SYS_PTRACE"
]
},
"root": {
"path": "./rootfs/"
},
"hostname": "helloctl",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"ro",
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev/helloctl",
"type": "bind",
"source": "/dev/helloctl",
"options": [
"rbind",
"ro",
"rprivate"
]
},
{
"destination": "/usr/bin/helloctl",
"type": "bind",
"source": "./helloctl/helloctl",
"options": [
"rbind",
"ro",
"rprivate"
]
}
],
"hooks": {
"prestart": [ ],
"poststop": [ ]
},
"linux": {
"resources": {
"devices": [
{
"allow": false,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 1,
"minor": 5,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 1,
"minor": 3,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 1,
"minor": 9,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 1,
"minor": 8,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 5,
"minor": 0,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 5,
"minor": 1,
"access": "rwm"
},
{
"allow": true,
"type": "c",
"major": 10,
"minor": 57,
"access": "rwm"
},
{
"allow": false,
"type": "c",
"major": 10,
"minor": 229,
"access": "rwm"
}
],
"disableOOMKiller": false,
"oomScoreAdj": 0,
"cpu": {},
"pids": {
"limit": 0
},
"blockIO": {
"blkioWeight": 0
}
},
"cgroupsPath": "system.slice:docker:8ad3dfde3644481046eace9cd586600f0416d3c43b4b9f4cc161c470859c0e17",
"namespaces": [
{
"type": "mount"
},
{
"type": "network"
},
{
"type": "uts"
},
{
"type": "pid"
},
{
"type": "ipc"
}
],
"maskedPaths": [
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware"
],
"readonlyPaths": [
"/proc/asound",
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}
}