From cba2eef566668709a6ce34714be7ba695ac07a47 Mon Sep 17 00:00:00 2001
From: Kevin Wallace <kevin@pentabarf.net>
Date: Sun, 1 Dec 2013 15:27:24 -0800
Subject: [PATCH] Allow non-privileged containers to create device nodes.

Such nodes could already be created by importing a tarball to a container; now
they can be created from within the container itself.

This gives non-privileged containers the mknod kernel capability, and modifies
their cgroup settings to allow creation of *any* node, not just whitelisted
ones.  Use of such nodes is still controlled by the existing cgroup whitelist.

Docker-DCO-1.1-Signed-off-by: Kevin Wallace <kevin@pentabarf.net> (github: kevinwallace)
---
 cgroups/apply_raw.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cgroups/apply_raw.go b/cgroups/apply_raw.go
index 5fe3179..220f08f 100644
--- a/cgroups/apply_raw.go
+++ b/cgroups/apply_raw.go
@@ -95,6 +95,10 @@ func (raw *rawCgroup) setupDevices(c *Cgroup, pid int) (err error) {
 		}
 
 		allow := []string{
+			// allow mknod for any device
+			"c *:* m",
+			"b *:* m",
+
 			// /dev/null, zero, full
 			"c 1:3 rwm",
 			"c 1:5 rwm",