Break down groups into subsystems

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 21:55:06 -07:00 · 2014-04-18 21:55:06 -07:00 · bb89b83c68
commit bb89b83c68
parent 8cc8aca9cc
9 changed files with 247 additions and 172 deletions
--- a/cgroups/fs/devices.go
+++ b/cgroups/fs/devices.go
@ -0,0 +1,61 @@
+package fs
+
+import (
+	"os"
+)
+
+type devicesGroup struct {
+}
+
+func (s *devicesGroup) Set(d *data) error {
+	dir, err := d.join("devices")
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err != nil {
+			os.RemoveAll(dir)
+		}
+	}()
+
+	if !d.c.DeviceAccess {
+		if err := writeFile(dir, "devices.deny", "a"); err != nil {
+			return err
+		}
+
+		allow := []string{
+			// allow mknod for any device
+			"c *:* m",
+			"b *:* m",
+
+			// /dev/null, zero, full
+			"c 1:3 rwm",
+			"c 1:5 rwm",
+			"c 1:7 rwm",
+
+			// consoles
+			"c 5:1 rwm",
+			"c 5:0 rwm",
+			"c 4:0 rwm",
+			"c 4:1 rwm",
+
+			// /dev/urandom,/dev/random
+			"c 1:9 rwm",
+			"c 1:8 rwm",
+
+			// /dev/pts/ - pts namespaces are "coming soon"
+			"c 136:* rwm",
+			"c 5:2 rwm",
+
+			// tuntap
+			"c 10:200 rwm",
+		}
+
+		for _, val := range allow {
+			if err := writeFile(dir, "devices.allow", val); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}