Allow non-privileged containers to create device nodes.

Such nodes could already be created by importing a tarball to a container; now they can be created from within the container itself. This gives non-privileged containers the mknod kernel capability, and modifies their cgroup settings to allow creation of *any* node, not just whitelisted ones. Use of such nodes is still controlled by the existing cgroup whitelist. Docker-DCO-1.1-Signed-off-by: Kevin Wallace <kevin@pentabarf.net> (github: kevinwallace)
2013-12-01 15:27:24 -08:00 · 2013-12-01 15:27:24 -08:00 · cba2eef566
commit cba2eef566
parent 534990bda9
1 changed files with 4 additions and 0 deletions
--- a/cgroups/apply_raw.go
+++ b/cgroups/apply_raw.go
@ -95,6 +95,10 @@ func (raw *rawCgroup) setupDevices(c *Cgroup, pid int) (err error) {
 		}

 		allow := []string{
+			// allow mknod for any device
+			"c *:* m",
+			"b *:* m",
+
 			// /dev/null, zero, full
 			"c 1:3 rwm",
 			"c 1:5 rwm",