drivers/exec: restrict devices exposed to tasks

We ultimately decided to provide a limited set of devices in exec/java drivers instead of all of host ones. Pre-0.9, we made all host devices available to exec tasks accidentally, yet most applications only use a small subset, and this choice limits our ability to restrict/isolate GPU and other devices. Starting with 0.9, by default, we only provide the same subset of devices Docker provides, and allow users to provide more devices as needed on case-by-case basis. This reverts commit 5805c64a9f1c3b409693493dfa30e7136b9f547b. This reverts commit ff9a4a17e59388dcab067949e0664f645b2f5bcf.
2019-01-06 17:02:43 -05:00 · 2019-01-06 17:02:43 -05:00 · 8797a4f0ea
parent c13dc7f110
commit 8797a4f0ea
1 changed files with 25 additions and 5 deletions
--- a/drivers/shared/executor/executor_linux.go
+++ b/drivers/shared/executor/executor_linux.go
@ -506,9 +506,7 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 		"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
 	}

-	// we bind-mount /dev to preserve pre-0.9 behavior; so avoid setting up individual devices
-	cfg.Devices = []*lconfigs.Device{}
-
+	cfg.Devices = lconfigs.DefaultAutoCreatedDevices
 	if len(command.Devices) > 0 {
 		devs, err := cmdDevices(command.Devices)
 		if err != nil {
@ -519,9 +517,11 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {

 	cfg.Mounts = []*lconfigs.Mount{
 		{
-			Source:      "dev",
+			Source:      "tmpfs",
 			Destination: "/dev",
-			Device:      "devtmpfs",
+			Device:      "tmpfs",
+			Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
+			Data:        "mode=755",
 		},
 		{
 			Source:      "proc",
@ -529,6 +529,26 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 			Device:      "proc",
 			Flags:       defaultMountFlags,
 		},
+		{
+			Source:      "devpts",
+			Destination: "/dev/pts",
+			Device:      "devpts",
+			Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
+			Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
+		},
+		{
+			Device:      "tmpfs",
+			Source:      "shm",
+			Destination: "/dev/shm",
+			Data:        "mode=1777,size=65536k",
+			Flags:       defaultMountFlags,
+		},
+		{
+			Source:      "mqueue",
+			Destination: "/dev/mqueue",
+			Device:      "mqueue",
+			Flags:       defaultMountFlags,
+		},
 		{
 			Source:      "sysfs",
 			Destination: "/sys",