提交 b9fb10ec 编写于 作者: jia zhang's avatar jia zhang

rune/libcontainer: Fix implicitly mounting enclave device

The minor device number should not be hard-coded with 58 for
SGX enclave devices.
Signed-off-by: jia zhang's avatarJia Zhang <zhang.jia@linux.alibaba.com>
上级 c7ddc356
......@@ -180,25 +180,6 @@ func Example() *specs.Spec {
Source: "/run/aesmd",
Options: []string{"rbind", "rprivate"},
})
var mode os.FileMode = 0666
spec.Linux.Devices = append(spec.Linux.Devices,
specs.LinuxDevice{
Path: "/dev/isgx",
Type: "c",
Major: 10,
Minor: 58,
FileMode: &mode,
})
var major int64 = 10
var minor int64 = 58
spec.Linux.Resources.Devices = append(spec.Linux.Resources.Devices,
specs.LinuxDeviceCgroup{
Major: &major,
Minor: &minor,
Allow: true,
Type: "c",
Access: "rwm",
})
}
return spec
}
......
......@@ -21,6 +21,7 @@ import (
"github.com/opencontainers/runc/libcontainer/seccomp"
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)
......@@ -340,37 +341,54 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
}
}
// Determine whether the file is a character device
func IsChrDev(device *configs.Device) (bool) {
dev, err := devices.DeviceFromPath(device.Path, "rw")
if err == nil {
if dev.Type == 'c' && dev.Major == 10 {
return true
// Determine whether the device is a Intel SGX enclave device
func intelSgxDev(device *configs.Device) (*configs.Device, error) {
dev, err := devices.DeviceFromPath(device.Path, "rwm")
if err != nil {
return nil, err
}
if dev.Type == 'c' && dev.Major == 10 {
return dev, nil
}
return false
return nil, fmt.Errorf("%s is not a SGX enclave device", dev.Path)
}
func createEnclaveDevices(devices []*configs.Device, etype string, fn func(dev configs.Device)) {
func createEnclaveDevices(devs []*configs.Device, etype string, fn func(dev *configs.Device)) {
var configuredDevs []string
// Filter out non-enclave devices
onMatchEnclaveDevice(devices, genEnclavePathTemplate(etype), etype, func(n string, i int) {
// Retrieve the configured enclave devices
onMatchEnclaveDevice(devs, genEnclavePathTemplate(etype), etype, func(n string, i int) {
configuredDevs = append(configuredDevs, n)
})
// Filter out configured enclave devices
if len(configuredDevs) != 0 {
for _, d := range configuredDevs {
dev, err := devices.DeviceFromPath(d, "rwm")
if err != nil {
logrus.Debugf("the configured enclave device %s not exist", dev.Path)
continue
}
logrus.Debugf("the enclave device %s configured", dev.Path)
}
}
// Filter out the configured enclave devices
exclusiveDevs := genEnclaveDeviceTemplate(etype)
onMatchEnclaveDevice(exclusiveDevs, configuredDevs, etype, func(n string, i int) {
exclusiveDevs = append(exclusiveDevs[:i], exclusiveDevs[i+1:]...)
})
// Create default enclave devices
// Create the enclave devices not explicitly specified
for _, d := range exclusiveDevs {
if IsChrDev(d) {
fn(*d)
dev, err := intelSgxDev(d)
if err != nil {
continue
}
fn(dev)
}
}
......@@ -391,13 +409,11 @@ func genEnclaveDeviceTemplate(etype string) []*configs.Device {
Type: 'c',
Path: "/dev/isgx",
Major: 10,
Minor: 58,
},
&configs.Device{
Type: 'c',
Path: "/dev/sgx/enclave",
Major: 10,
Minor: 58,
},
}
default:
......@@ -736,10 +752,10 @@ func CreateCgroupConfig(opts *CreateOpts, config *configs.Config) (*configs.Cgro
}
func createEnclaveCgroupConfig(devices *[]*configs.Device, etype string) {
createEnclaveDevices(*devices, etype, func(dev configs.Device) {
createEnclaveDevices(*devices, etype, func(dev *configs.Device) {
dev.Permissions = "rwm"
dev.Allow = true
*devices = append(*devices, &dev)
*devices = append(*devices, dev)
})
}
......@@ -867,11 +883,11 @@ func createDevices(spec *specs.Spec, config *configs.Config) error {
}
func createEnclaveDeviceConfig(devices *[]*configs.Device, etype string) {
createEnclaveDevices(*devices, etype, func(dev configs.Device) {
createEnclaveDevices(*devices, etype, func(dev *configs.Device) {
dev.FileMode = 0666
dev.Uid = 0
dev.Gid = 0
*devices = append(*devices, &dev)
*devices = append(*devices, dev)
})
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册