AllowedDevices is the set of devices which are automatically included for all containers.
This behaviour is at the very least "questionable" (if not outright wrong) according to the runtime-spec.
Yes, we have to include certain devices other than the ones the user specifies, but several devices listed here are not part of the spec (including "mknod for any device"?!). In addition, these rules are appended to the user-provided set which means that users *cannot disable this behaviour*.
... unfortunately I'm too scared to change this now because who knows how many people depend on this (incorrect and arguably insecure) behaviour.
var AllowedDevices = []*devices.Device{ { Rule: devices.Rule{ Type: devices.CharDevice, Major: devices.Wildcard, Minor: devices.Wildcard, Permissions: "m", Allow: true, }, }, { Rule: devices.Rule{ Type: devices.BlockDevice, Major: devices.Wildcard, Minor: devices.Wildcard, Permissions: "m", Allow: true, }, }, { Path: "/dev/null", FileMode: 0o666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 1, Minor: 3, Permissions: "rwm", Allow: true, }, }, { Path: "/dev/random", FileMode: 0o666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 1, Minor: 8, Permissions: "rwm", Allow: true, }, }, { Path: "/dev/full", FileMode: 0o666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 1, Minor: 7, Permissions: "rwm", Allow: true, }, }, { Path: "/dev/tty", FileMode: 0o666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 5, Minor: 0, Permissions: "rwm", Allow: true, }, }, { Path: "/dev/zero", FileMode: 0o666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 1, Minor: 5, Permissions: "rwm", Allow: true, }, }, { Path: "/dev/urandom", FileMode: 0o666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 1, Minor: 9, Permissions: "rwm", Allow: true, }, }, { Rule: devices.Rule{ Type: devices.CharDevice, Major: 136, Minor: devices.Wildcard, Permissions: "rwm", Allow: true, }, }, { Rule: devices.Rule{ Type: devices.CharDevice, Major: 5, Minor: 2, Permissions: "rwm", Allow: true, }, }, { Rule: devices.Rule{ Type: devices.CharDevice, Major: 10, Minor: 200, Permissions: "rwm", Allow: true, }, }, }
func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*configs.Cgroup, error)
func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error)
CreateLibcontainerConfig creates a new libcontainer configuration from a given specification and a cgroup name
func Example() *specs.Spec
Example returns an example spec file, with many options set so a user can see what a standard spec file looks like.
func KnownMountOptions() []string
KnownMountOptions returns the list of the known mount options. Used by `runc features`.
func KnownNamespaces() []string
KnownNamespaces returns the list of the known namespaces. Used by `runc features`.
func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error)
func ToRootless(spec *specs.Spec)
ToRootless converts the given spec file into one that should work with rootless containers (euid != 0), by removing incompatible options and adding others that are needed.
type CreateOpts struct {
CgroupName string
UseSystemdCgroup bool
NoPivotRoot bool
NoNewKeyring bool
Spec *specs.Spec
RootlessEUID bool
RootlessCgroups bool
}