rune/libcontainer: Fix implicitly mounting enclave device

The minor device number should not be hard-coded with 58 for SGX enclave devices. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

rune/libcontainer: Fix implicitly mounting enclave device
The minor device number should not be hard-coded with 58 for SGX enclave devices. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
b9fb10ec · jia zhang · c7ddc356 · b9fb10ec · b9fb10ec
显示空白变更内容
内联并排

Showing with 37 addition and 40 deletion

rune/libcontainer/specconv/example.go rune/libcontainer/specconv/example.go +0 -19

rune/libcontainer/specconv/spec_linux.go rune/libcontainer/specconv/spec_linux.go +37 -21

未找到文件。
--- a/rune/libcontainer/specconv/example.go
+++ b/rune/libcontainer/specconv/example.go
@@ -180,25 +180,6 @@ func Example() *specs.Spec {
 				Source:      "/run/aesmd",
 				Options:     []string{"rbind", "rprivate"},
 			})
-		var mode os.FileMode = 0666
-		spec.Linux.Devices = append(spec.Linux.Devices,
-			specs.LinuxDevice{
-				Path:     "/dev/isgx",
-				Type:     "c",
-				Major:    10,
-				Minor:    58,
-				FileMode: &mode,
-			})
-		var major int64 = 10
-		var minor int64 = 58
-		spec.Linux.Resources.Devices = append(spec.Linux.Resources.Devices,
-			specs.LinuxDeviceCgroup{
-				Major:  &major,
-				Minor:  &minor,
-				Allow:  true,
-				Type:   "c",
-				Access: "rwm",
-			})
 	}
 	return spec
 }

--- a/rune/libcontainer/specconv/spec_linux.go
+++ b/rune/libcontainer/specconv/spec_linux.go
@@ -21,6 +21,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
@@ -340,37 +341,54 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
 	}
 }
-// Determine whether the file is a character device
+// Determine whether the device is a Intel SGX enclave device
-func IsChrDev(device *configs.Device) (bool) {
+func intelSgxDev(device *configs.Device) (*configs.Device, error) {
-	dev, err := devices.DeviceFromPath(device.Path, "rw")
+	dev, err := devices.DeviceFromPath(device.Path, "rwm")
-	if err == nil {
+	if err != nil {
-		if dev.Type == 'c' && dev.Major == 10 {
+		return nil, err
-			return true
 	}
+	if dev.Type == 'c' && dev.Major == 10 {
+		return dev, nil
 	}
-	return false
+	return nil, fmt.Errorf("%s is not a SGX enclave device", dev.Path)
 }
-func createEnclaveDevices(devices []*configs.Device, etype string, fn func(dev configs.Device)) {
+func createEnclaveDevices(devs []*configs.Device, etype string, fn func(dev *configs.Device)) {
 	var configuredDevs []string
-	// Filter out non-enclave devices
+	// Retrieve the configured enclave devices
-	onMatchEnclaveDevice(devices, genEnclavePathTemplate(etype), etype, func(n string, i int) {
+	onMatchEnclaveDevice(devs, genEnclavePathTemplate(etype), etype, func(n string, i int) {
 		configuredDevs = append(configuredDevs, n)
 	})
-	// Filter out configured enclave devices
+	if len(configuredDevs) != 0 {
+		for _, d := range configuredDevs {
+			dev, err := devices.DeviceFromPath(d, "rwm")
+			if err != nil {
+				logrus.Debugf("the configured enclave device %s not exist", dev.Path)
+				continue
+			}
+			logrus.Debugf("the enclave device %s configured", dev.Path)
+		}
+	}
+	// Filter out the configured enclave devices
 	exclusiveDevs := genEnclaveDeviceTemplate(etype)
 	onMatchEnclaveDevice(exclusiveDevs, configuredDevs, etype, func(n string, i int) {
 		exclusiveDevs = append(exclusiveDevs[:i], exclusiveDevs[i+1:]...)
 	})
-	// Create default enclave devices
+	// Create the enclave devices not explicitly specified
 	for _, d := range exclusiveDevs {
-		if IsChrDev(d) {
+		dev, err := intelSgxDev(d)
-			fn(*d)
+		if err != nil {
+			continue
 		}
+		fn(dev)
 	}
 }
@@ -391,13 +409,11 @@ func genEnclaveDeviceTemplate(etype string) []*configs.Device {
 				Type:  'c',
 				Path:  "/dev/isgx",
 				Major: 10,
-				Minor: 58,
 			},
 			&configs.Device{
 				Type:  'c',
 				Path:  "/dev/sgx/enclave",
 				Major: 10,
-				Minor: 58,
 			},
 		}
 	default:
@@ -736,10 +752,10 @@ func CreateCgroupConfig(opts *CreateOpts, config *configs.Config) (*configs.Cgro
 }
 func createEnclaveCgroupConfig(devices *[]*configs.Device, etype string) {
-	createEnclaveDevices(*devices, etype, func(dev configs.Device) {
+	createEnclaveDevices(*devices, etype, func(dev *configs.Device) {
 		dev.Permissions = "rwm"
 		dev.Allow = true
-		*devices = append(*devices, &dev)
+		*devices = append(*devices, dev)
 	})
 }
@@ -867,11 +883,11 @@ func createDevices(spec *specs.Spec, config *configs.Config) error {
 }
 func createEnclaveDeviceConfig(devices *[]*configs.Device, etype string) {
-	createEnclaveDevices(*devices, etype, func(dev configs.Device) {
+	createEnclaveDevices(*devices, etype, func(dev *configs.Device) {
 		dev.FileMode = 0666
 		dev.Uid = 0
 		dev.Gid = 0
-		*devices = append(*devices, &dev)
+		*devices = append(*devices, dev)
 	})
 }