entitlements: mount loop devices relative to next free device

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-01-30 13:47:44 -08:00 · 2020-01-30 13:47:44 -08:00 · 572a2b5718
parent fc186a8b89
commit 572a2b5718
1 changed files with 25 additions and 1 deletions
--- a/util/entitlements/security/security_linux.go
+++ b/util/entitlements/security/security_linux.go
@ -3,10 +3,14 @@ package security
 import (
 	"context"
 	"fmt"
+	"os"

 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
 )

 // WithInsecureSpec sets spec with All capability.
@ -122,7 +126,12 @@ func WithInsecureSpec() oci.SpecOpts {
 			},
 		}...)

-		for i := 0; i <= 7; i++ {
+		loopID, err := getFreeLoopID()
+		if err != nil {
+			logrus.Debugf("failed to get next free loop device: %v", err)
+		}
+
+		for i := 0; i <= loopID+7; i++ {
 			s.Linux.Devices = append(s.Linux.Devices, specs.LinuxDevice{
 				Path:  fmt.Sprintf("/dev/loop%d", i),
 				Type:  "b",
@ -134,3 +143,18 @@ func WithInsecureSpec() oci.SpecOpts {
 		return nil
 	}
 }
+
+func getFreeLoopID() (int, error) {
+	fd, err := os.OpenFile("/dev/loop-control", os.O_RDWR, 0644)
+	if err != nil {
+		return 0, err
+	}
+	defer fd.Close()
+
+	const _LOOP_CTL_GET_FREE = 0x4C82
+	r1, _, uerr := unix.Syscall(unix.SYS_IOCTL, fd.Fd(), _LOOP_CTL_GET_FREE, 0)
+	if uerr == 0 {
+		return int(r1), nil
+	}
+	return 0, errors.Errorf("error getting free loop device: %v", uerr)
+}