runtime-spec icon indicating copy to clipboard operation
runtime-spec copied to clipboard
verified publisher icon opencontainers

config-linux: Deprecate device access denial

Open Werkov opened this issue 2 years ago • 13 comments

Separate allow/deny lists are specific to device controller existing only in cgroup v1. Current semantics for devices that don't match neither allow nor deny is confusing.

cgroup v2 implements access control on the default hierarchy with BPF hooks. Follow the approach of systemd (refer to systemd.resource(5)) with DevicePolicy=strict, i.e. consider all devices denied by default and add only entries for devices that should be allowed.

This will simplify the job for runtimes that use systemd for container cgroup configuration.

For starters, mention that "allow" entries that don't stick to the this approach are deprecated. Next step would be removal of the "allow" attribute and implicit denial on all devices.

Werkov avatar Jul 12 '23 18:07 Werkov

Bump?

Werkov avatar Jan 05 '24 17:01 Werkov

In cgroup v2, runc and other major OCI runtimes has implemented not only systemd but also its original cgroup v2 driver. How about this behavior? As far as I know, it attempts to emulate the cgroup v1's behavior.

utam0k avatar Jan 06 '24 04:01 utam0k