devices

Documentation

Index

• type Emulator
  • func EmulatorFromList(list io.Reader) (*Emulator, error)
  • func (e *Emulator) Apply(rule devices.Rule) error
  • func (e *Emulator) IsAllowAll() bool
  • func (e *Emulator) IsBlacklist() bool
  • func (e *Emulator) Rules() ([]*devices.Rule, error)
  • func (source *Emulator) Transition(target *Emulator) ([]*devices.Rule, error)

Types

type Emulator

type Emulator struct {
	// contains filtered or unexported fields
}

func EmulatorFromList

func EmulatorFromList(list io.Reader) (*Emulator, error)

EmulatorFromList takes a reader to a "devices.list"-like source, and returns a new Emulator that represents the state of the devices cgroup. Note that black-list devices cgroups cannot be fully reconstructed, due to limitations in the devices cgroup API. Instead, such cgroups are always treated as "allow all" cgroups.

func (*Emulator) Apply

func (e *Emulator) Apply(rule devices.Rule) error

func (*Emulator) IsAllowAll

func (e *Emulator) IsAllowAll() bool

func (*Emulator) IsBlacklist

func (e *Emulator) IsBlacklist() bool

func (*Emulator) Rules

func (e *Emulator) Rules() ([]*devices.Rule, error)

Rules returns the minimum set of rules necessary to convert a *deny-all* cgroup to the emulated filter state (note that this is not the same as a default cgroupv1 cgroup -- which is allow-all). This is effectively just a wrapper around Transition() with the source emulator being an empty cgroup.

func (*Emulator) Transition

func (source *Emulator) Transition(target *Emulator) ([]*devices.Rule, error)

Transition calculates what is the minimally-disruptive set of rules need to be applied to a devices cgroup in order to transition to the given target. This means that any already-existing rules will not be applied, and disruptive rules (like denying all device access) will only be applied if necessary.

This function is the sole reason for all of Emulator -- to allow us to figure out how to update a containers' cgroups without causing spurious device errors (if possible).