libcontainer: isolate libcontainer/devices

Move the Device-related types to libcontainer/devices, so that the package can be used in isolation. Aliases have been created in libcontainer/configs for backward compatibility. Signed-off-by: Sebastiaan van Stijn <[email protected]>
opencontainers · Dec 1, 2020 · 677baf2 · 677baf2
1 parent 2b92c25
commit 677baf2
Show file tree

Hide file tree

Showing 20 changed files with 426 additions and 405 deletions.
diff --git a/libcontainer/cgroups/devices/devices_emulator.go b/libcontainer/cgroups/devices/devices_emulator.go
@@ -27,7 +27,7 @@ import (
 	"sort"
 	"strconv"
 
-	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/devices"
 
 	"github.com/pkg/errors"
 )
@@ -36,20 +36,20 @@ import (
 // wildcard-type support. It's effectively the "match" portion of a metadata
 // rule, for the purposes of our emulation.
 type deviceMeta struct {
-	node  configs.DeviceType
+	node  devices.DeviceType
 	major int64
 	minor int64
 }
 
 // deviceRule is effectively the tuple (deviceMeta, DevicePermissions).
 type deviceRule struct {
 	meta  deviceMeta
-	perms configs.DevicePermissions
+	perms devices.DevicePermissions
 }
 
 // deviceRules is a mapping of device metadata rules to the associated
 // permissions in the ruleset.
-type deviceRules map[deviceMeta]configs.DevicePermissions
+type deviceRules map[deviceMeta]devices.DevicePermissions
 
 func (r deviceRules) orderedEntries() []deviceRule {
 	var rules []deviceRule
@@ -103,17 +103,17 @@ func parseLine(line string) (*deviceRule, error) {
 		// TODO: Double-check that the entire file is "a *:* rwm".
 		return nil, nil
 	case "b":
-		rule.meta.node = configs.BlockDevice
+		rule.meta.node = devices.BlockDevice
 	case "c":
-		rule.meta.node = configs.CharDevice
+		rule.meta.node = devices.CharDevice
 	default:
 		// Should never happen!
 		return nil, errors.Errorf("unknown device type %q", node)
 	}
 
 	// Parse the major number.
 	if major == "*" {
-		rule.meta.major = configs.Wildcard
+		rule.meta.major = devices.Wildcard
 	} else {
 		val, err := strconv.ParseUint(major, 10, 32)
 		if err != nil {
@@ -124,7 +124,7 @@ func parseLine(line string) (*deviceRule, error) {
 
 	// Parse the minor number.
 	if minor == "*" {
-		rule.meta.minor = configs.Wildcard
+		rule.meta.minor = devices.Wildcard
 	} else {
 		val, err := strconv.ParseUint(minor, 10, 32)
 		if err != nil {
@@ -134,7 +134,7 @@ func parseLine(line string) (*deviceRule, error) {
 	}
 
 	// Parse the access permissions.
-	rule.perms = configs.DevicePermissions(perms)
+	rule.perms = devices.DevicePermissions(perms)
 	if !rule.perms.IsValid() || rule.perms.IsEmpty() {
 		// Should never happen!
 		return nil, errors.Errorf("parse access mode: contained unknown modes or is empty: %q", perms)
@@ -144,7 +144,7 @@ func parseLine(line string) (*deviceRule, error) {
 
 func (e *Emulator) addRule(rule deviceRule) error {
 	if e.rules == nil {
-		e.rules = make(map[deviceMeta]configs.DevicePermissions)
+		e.rules = make(map[deviceMeta]devices.DevicePermissions)
 	}
 
 	// Merge with any pre-existing permissions.
@@ -169,9 +169,9 @@ func (e *Emulator) rmRule(rule deviceRule) error {
 	// to mention it'd be really slow (the kernel side is implemented as a
 	// linked-list of exceptions).
 	for _, partialMeta := range []deviceMeta{
-		{node: rule.meta.node, major: configs.Wildcard, minor: rule.meta.minor},
-		{node: rule.meta.node, major: rule.meta.major, minor: configs.Wildcard},
-		{node: rule.meta.node, major: configs.Wildcard, minor: configs.Wildcard},
+		{node: rule.meta.node, major: devices.Wildcard, minor: rule.meta.minor},
+		{node: rule.meta.node, major: rule.meta.major, minor: devices.Wildcard},
+		{node: rule.meta.node, major: devices.Wildcard, minor: devices.Wildcard},
 	} {
 		// This wildcard rule is equivalent to the requested rule, so skip it.
 		if rule.meta == partialMeta {
@@ -202,7 +202,7 @@ func (e *Emulator) rmRule(rule deviceRule) error {
 func (e *Emulator) allow(rule *deviceRule) error {
 	// This cgroup is configured as a black-list. Reset the entire emulator,
 	// and put is into black-list mode.
-	if rule == nil || rule.meta.node == configs.WildcardDevice {
+	if rule == nil || rule.meta.node == devices.WildcardDevice {
 		*e = Emulator{
 			defaultAllow: true,
 			rules:        nil,
@@ -222,7 +222,7 @@ func (e *Emulator) allow(rule *deviceRule) error {
 func (e *Emulator) deny(rule *deviceRule) error {
 	// This cgroup is configured as a white-list. Reset the entire emulator,
 	// and put is into white-list mode.
-	if rule == nil || rule.meta.node == configs.WildcardDevice {
+	if rule == nil || rule.meta.node == devices.WildcardDevice {
 		*e = Emulator{
 			defaultAllow: false,
 			rules:        nil,
@@ -239,7 +239,7 @@ func (e *Emulator) deny(rule *deviceRule) error {
 	return err
 }
 
-func (e *Emulator) Apply(rule configs.DeviceRule) error {
+func (e *Emulator) Apply(rule devices.DeviceRule) error {
 	if !rule.Type.CanCgroup() {
 		return errors.Errorf("cannot add rule [%#v] with non-cgroup type %q", rule, rule.Type)
 	}
@@ -252,7 +252,7 @@ func (e *Emulator) Apply(rule configs.DeviceRule) error {
 		},
 		perms: rule.Permissions,
 	}
-	if innerRule.meta.node == configs.WildcardDevice {
+	if innerRule.meta.node == devices.WildcardDevice {
 		innerRule = nil
 	}
 
@@ -307,8 +307,8 @@ func EmulatorFromList(list io.Reader) (*Emulator, error) {
 // This function is the sole reason for all of Emulator -- to allow us
 // to figure out how to update a containers' cgroups without causing spurrious
 // device errors (if possible).
-func (source *Emulator) Transition(target *Emulator) ([]*configs.DeviceRule, error) {
-	var transitionRules []*configs.DeviceRule
+func (source *Emulator) Transition(target *Emulator) ([]*devices.DeviceRule, error) {
+	var transitionRules []*devices.DeviceRule
 	oldRules := source.rules
 
 	// If the default policy doesn't match, we need to include a "disruptive"
@@ -319,11 +319,11 @@ func (source *Emulator) Transition(target *Emulator) ([]*configs.DeviceRule, err
 	// deny rules are in place in a black-list cgroup. Thus if the source is a
 	// black-list we also have to include a disruptive rule.
 	if source.IsBlacklist() || source.defaultAllow != target.defaultAllow {
-		transitionRules = append(transitionRules, &configs.DeviceRule{
+		transitionRules = append(transitionRules, &devices.DeviceRule{
 			Type:        'a',
 			Major:       -1,
 			Minor:       -1,
-			Permissions: configs.DevicePermissions("rwm"),
+			Permissions: devices.DevicePermissions("rwm"),
 			Allow:       target.defaultAllow,
 		})
 		// The old rules are only relevant if we aren't starting out with a
@@ -342,7 +342,7 @@ func (source *Emulator) Transition(target *Emulator) ([]*configs.DeviceRule, err
 		newPerms := target.rules[meta]
 		droppedPerms := oldPerms.Difference(newPerms)
 		if !droppedPerms.IsEmpty() {
-			transitionRules = append(transitionRules, &configs.DeviceRule{
+			transitionRules = append(transitionRules, &devices.DeviceRule{
 				Type:        meta.node,
 				Major:       meta.major,
 				Minor:       meta.minor,
@@ -360,7 +360,7 @@ func (source *Emulator) Transition(target *Emulator) ([]*configs.DeviceRule, err
 		oldPerms := oldRules[meta]
 		gainedPerms := newPerms.Difference(oldPerms)
 		if !gainedPerms.IsEmpty() {
-			transitionRules = append(transitionRules, &configs.DeviceRule{
+			transitionRules = append(transitionRules, &devices.DeviceRule{
 				Type:        meta.node,
 				Major:       meta.major,
 				Minor:       meta.minor,