implement setdevperm
This patch implements the still missing setdevperm for upstream
Linux containers.
We currently live in a situation where devices are unrestricted
inside the container. In order to restrict accesses to devices, we'll
use the device cgroup. By default, we give the container a restrictive
set of enabled devices, mostly comprised by /dev/zero, /dev/null,
/dev/console, and pts.
With that in place, it makes sense to also enable setdevperms
operation, that will allow the admin to change the devices in the
container, and how they are viewed.
[ v2: mknod permissions at startup, removed a race pointed by avagin ]
Signed-off-by: Glauber Costa <glommer@parallels.com>
3 files changed