Skip to content
Browse files

Allow access to all devices for nested warden

  • Loading branch information...
1 parent e833b9b commit be58d88dfc7a9ec046c643c4f9934be6e6182275 David Sabeti and Pieter Noordhuis committed
View
1 warden/lib/warden/container/linux.rb
@@ -82,6 +82,7 @@ def env
"network_netmask" => self.class.network_pool.pooled_netmask.to_human,
"user_uid" => uid,
"rootfs_path" => container_rootfs_path,
+ "allow_nested_warden" => Server.config.allow_nested_warden?.to_s,
}
env
end
View
38 warden/root/linux/skeleton/lib/hook-parent-after-clone.sh
@@ -24,22 +24,28 @@ do
if [ $(basename $system_path) == "devices" ]
then
- # disallow everything, allow explicitly
- echo a > $instance_path/devices.deny
- # /dev/null
- echo "c 1:3 rw" > $instance_path/devices.allow
- # /dev/zero
- echo "c 1:5 rw" > $instance_path/devices.allow
- # /dev/random
- echo "c 1:8 rw" > $instance_path/devices.allow
- # /dev/urandom
- echo "c 1:9 rw" > $instance_path/devices.allow
- # /dev/tty
- echo "c 5:0 rw" > $instance_path/devices.allow
- # /dev/ptmx
- echo "c 5:2 rw" > $instance_path/devices.allow
- # /dev/pts/*
- echo "c 136:* rw" > $instance_path/devices.allow
+ if [ $allow_nested_warden == "true" ]
+ then
+ # Allow everything
+ echo "a *:* rw" > $instance_path/devices.allow
+ else
+ # Deny everything, allow explicitly
+ echo a > $instance_path/devices.deny
+ # /dev/null
+ echo "c 1:3 rw" > $instance_path/devices.allow
+ # /dev/zero
+ echo "c 1:5 rw" > $instance_path/devices.allow
+ # /dev/random
+ echo "c 1:8 rw" > $instance_path/devices.allow
+ # /dev/urandom
+ echo "c 1:9 rw" > $instance_path/devices.allow
+ # /dev/tty
+ echo "c 5:0 rw" > $instance_path/devices.allow
+ # /dev/ptmx
+ echo "c 5:2 rw" > $instance_path/devices.allow
+ # /dev/pts/*
+ echo "c 136:* rw" > $instance_path/devices.allow
+ fi
fi
echo $PID > $instance_path/tasks
View
2 warden/root/linux/skeleton/setup.sh
@@ -18,6 +18,7 @@ network_container_ip=${network_container_ip:-10.0.0.2}
network_container_iface="w-${id}-1"
user_uid=${user_uid:-10000}
rootfs_path=$(readlink -f $rootfs_path)
+allow_nested_warden=${allow_nested_warden:-false}
# Write configuration
cat > etc/config <<-EOS
@@ -29,6 +30,7 @@ network_container_ip=$network_container_ip
network_container_iface=$network_container_iface
user_uid=$user_uid
rootfs_path=$rootfs_path
+allow_nested_warden=$allow_nested_warden
EOS
setup_fs

0 comments on commit be58d88

Please sign in to comment.
Something went wrong with that request. Please try again.