lxc: encode device permission into configuration

Closes: #804 Signed-off-by: N Shengjing Zhu <i@zhsj.me>

lxc: encode device permission into configuration
Closes: #804 Signed-off-by: N Shengjing Zhu <i@zhsj.me>
3d05266c · Shengjing Zhu · 04469cd3 · 3d05266c · 3d05266c · 3d05266c
7 changed file
--- a/src/anbox/cmds/session_manager.cpp
+++ b/src/anbox/cmds/session_manager.cpp
@@ -249,9 +249,9 @@ anbox::cmds::SessionManager::SessionManager()
      };

      container_configuration.devices = {
-        {"/dev/binder"},
-        {"/dev/ashmem"},
-        {"/dev/fuse"},
+        {"/dev/binder", {0666}},
+        {"/dev/ashmem", {0666}},
+        {"/dev/fuse", {0666}},
      };

      dispatcher->dispatch([&]() {

--- a/src/anbox/container/configuration.h
+++ b/src/anbox/container/configuration.h
@@ -20,13 +20,15 @@

 #include <string>
 #include <unordered_map>
-#include <vector>

 namespace anbox {
 namespace container {
+struct DeviceSpecification {
+    uint32_t permission;
+};
 struct Configuration {
  std::unordered_map<std::string, std::string> bind_mounts;
-  std::vector<std::string> devices;
+  std::unordered_map<std::string, DeviceSpecification> devices;
 };
 }  // namespace container
 }  // namespace anbox

--- a/src/anbox/container/lxc_container.cpp
+++ b/src/anbox/container/lxc_container.cpp
@@ -166,7 +166,7 @@ void LxcContainer::setup_network() {
  }
 }

-void LxcContainer::add_device(const std::string& device) {
+void LxcContainer::add_device(const std::string& device, const DeviceSpecification& spec) {
  struct stat st;
  int r = stat(device.c_str(), &st);
  if (r < 0) {
@@ -176,7 +176,7 @@ void LxcContainer::add_device(const std::string& device) {

  const auto major = device_major(st.st_rdev);
  const auto minor = device_minor(st.st_rdev);
-  const auto mode = st.st_mode;
+  const auto mode = ((st.st_mode >> 9) << 9) | (spec.permission & ~(1 << 9));
  const auto new_device_name = fs::basename(device);
  const auto devices_path = fs::path(SystemConfiguration::instance().container_devices_dir());
  const auto new_device_path = (devices_path / new_device_name).string();
@@ -318,13 +318,13 @@ void LxcContainer::start(const Configuration &configuration) {
  auto devices = configuration.devices;

  // Additional devices we need in our container
-  devices.push_back("/dev/console");
-  devices.push_back("/dev/full");
-  devices.push_back("/dev/null");
-  devices.push_back("/dev/random");
-  devices.push_back("/dev/tty");
-  devices.push_back("/dev/urandom");
-  devices.push_back("/dev/zero");
+  devices.insert({"/dev/console", {0600}});
+  devices.insert({"/dev/full", {0666}});
+  devices.insert({"/dev/null", {0666}});
+  devices.insert({"/dev/random", {0666}});
+  devices.insert({"/dev/tty", {0666}});
+  devices.insert({"/dev/urandom", {0666}});
+  devices.insert({"/dev/zero", {0666}});

  // Remove all left over devices from last time first before
  // creating any new ones
@@ -333,7 +333,7 @@ void LxcContainer::start(const Configuration &configuration) {
  fs::create_directories(devices_dir);

  for (const auto& device : devices)
-    add_device(device);
+    add_device(device.first, device.second);

  if (!container_->save_config(container_, nullptr))
    throw std::runtime_error("Failed to save container configuration");

--- a/src/anbox/container/lxc_container.h
+++ b/src/anbox/container/lxc_container.h
@@ -40,7 +40,7 @@ class LxcContainer : public Container {
  void set_config_item(const std::string &key, const std::string &value);
  void setup_id_map();
  void setup_network();
-  void add_device(const std::string& device);
+  void add_device(const std::string& device, const DeviceSpecification& spec);

  State state_;
  lxc_container *container_;

--- a/src/anbox/container/management_api_skeleton.cpp
+++ b/src/anbox/container/management_api_skeleton.cpp
@@ -55,7 +55,7 @@ void ManagementApiSkeleton::start_container(

  for (int n = 0; n < configuration.devices_size(); n++) {
    const auto device = configuration.devices(n);
-    container_configuration.devices.push_back(device);
+    container_configuration.devices.insert({device.path(), {device.permission()}});
  }

  try {

--- a/src/anbox/container/management_api_stub.cpp
+++ b/src/anbox/container/management_api_stub.cpp
@@ -45,13 +45,14 @@ void ManagementApiStub::start_container(const Configuration &configuration) {
    bind_mount_message->set_target(item.second);
  }

-  message.set_allocated_configuration(message_configuration);
-
-  for (const auto &device : configuration.devices) {
-    auto d = message_configuration->add_devices();
-    *d = device;
+  for (const auto &item: configuration.devices) {
+    auto device_message = message_configuration->add_devices();
+    device_message->set_path(item.first);
+    device_message->set_permission(item.second.permission);
  }

+  message.set_allocated_configuration(message_configuration);
+
  {
    std::lock_guard<decltype(mutex_)> lock(mutex_);
    c->wh.expect_result();

--- a/src/anbox/protobuf/anbox_container.proto
+++ b/src/anbox/protobuf/anbox_container.proto
@@ -7,8 +7,12 @@ message Configuration {
        required string source = 1;
        required string target = 2;
    }
+    message Devices {
+        required string path = 1;
+        required uint32 permission = 2;
+    }
    repeated BindMount bind_mounts = 1;
-    repeated string devices = 2;
+    repeated Devices devices = 2;
 }

 message StartContainer {