make the path that is allowed to use /dev/zvol configurable via command-line parameter

Author: hannesm

daemon/albatrossd.ml

@@ -220,11 +220,12 @@ let write_reply name fd txt (hdr, cmd) =
 
 let m = conn_metrics "unix"
 
-let jump _ systemd influx tmpdir dbdir no_drop =
+let jump _ systemd influx tmpdir dbdir no_drop dev_zvol =
   Sys.(set_signal sigpipe Signal_ignore);
   Albatross_cli.set_tmpdir tmpdir;
   Albatross_cli.set_dbdir dbdir;
   Vmm_unix.drop_path := not no_drop;
+  state := Vmm_vmmd.allow_dev_zvol !state dev_zvol;
   state := Vmm_vmmd.init_block_devices !state;
   (match Vmm_unix.check_commands () with
    | Error `Msg m -> invalid_arg m
@@ -331,6 +332,15 @@ let no_drop_path =
   let doc = "Do not drop unikernel path for --name (use --name=path:hello instead of --name=hello)" in
   Arg.(value & flag & info [ "no-drop-path" ] ~doc)
 
+let path_c =
+  Arg.conv
+    (Name.Path.of_string,
+     fun ppf p -> Name.pp ppf (Name.make_of_path p))
+
+let allow_dev_zvol =
+  let doc = "Allow /dev/zvol access to a certain arc" in
+  Arg.(value & opt (some path_c) None & info [ "allow-zvol-for" ] ~doc)
+
 let cmd =
   let doc = "Albatross daemon" in
   let man = [
@@ -352,7 +362,7 @@ let cmd =
       creation and attaching tap devices to bridges."
   ] in
   let term =
-    Term.(const jump $ (Albatross_cli.setup_log Albatrossd_utils.syslog) $ Albatrossd_utils.systemd_socket_activation $ Albatrossd_utils.influx $ Albatross_cli.tmpdir $ Albatross_cli.dbdir $ no_drop_path)
+    Term.(const jump $ (Albatross_cli.setup_log Albatrossd_utils.syslog) $ Albatrossd_utils.systemd_socket_activation $ Albatrossd_utils.influx $ Albatross_cli.tmpdir $ Albatross_cli.dbdir $ no_drop_path $ allow_dev_zvol)
   and info = Cmd.info "albatrossd" ~version:Albatross_cli.version ~doc ~man
   in
   Cmd.v info term

src/vmm_resources.ml

@@ -8,6 +8,7 @@ type t = {
   policies : Policy.t Vmm_trie.t ;
   block_devices : (int * bool) Vmm_trie.t ;
   unikernels : Unikernel.t Vmm_trie.t ;
+  dev_zvol : Name.Path.t option ;
 }
 
 let pp ppf t =
@@ -21,10 +22,11 @@ let pp ppf t =
     (fun id unikernel () ->
        Fmt.pf ppf "unikernel %a: %a@." Name.pp id Unikernel.pp_config unikernel.Unikernel.config) ()
 
-let empty = {
+let empty dev_zvol = {
   policies = Vmm_trie.empty ;
   block_devices = Vmm_trie.empty ;
-  unikernels = Vmm_trie.empty
+  unikernels = Vmm_trie.empty ;
+  dev_zvol ;
 }
 
 let policy_metrics =
@@ -95,9 +97,15 @@ let find_policy t path =
 
 let find_block t name = Vmm_trie.find name t.block_devices
 
-let set_block_usage t name active =
-  let lbl = Option.value ~default:"" (Option.map Name.Label.to_string (Name.name name)) in
-  if String.starts_with ~prefix:"/dev/zvol" lbl then
+let zvol_allowed dev_zvol name =
+  match dev_zvol with
+  | None -> false
+  | Some x ->
+    let lbl = Option.value ~default:"" (Option.map Name.Label.to_string (Name.name name)) in
+    String.starts_with ~prefix:"/dev/zvol" lbl && Name.Path.equal (Name.path name) x
+
+let set_block_usage ?dev_zvol t name active =
+  if zvol_allowed dev_zvol name then
     t
   else
     match Vmm_trie.find name t with
@@ -107,7 +115,7 @@ let set_block_usage t name active =
       then invalid_arg ("block device " ^ Name.to_string name ^ " already in state " ^ (if curr then "active" else "inactive"))
       else fst (Vmm_trie.insert name (size, active) t)
 
-let use_blocks t name unikernel active =
+let use_blocks ?dev_zvol t name unikernel active =
   match unikernel.Unikernel.config.Unikernel.block_devices with
   | [] -> t
   | blocks ->
@@ -117,12 +125,12 @@ let use_blocks t name unikernel active =
           Name.block_name name bd)
         blocks
     in
-    List.fold_left (fun t' n -> set_block_usage t' n active) t block_names
+    List.fold_left (fun t' n -> set_block_usage ?dev_zvol t' n active) t block_names
 
 let remove_unikernel t name = match find_unikernel t name with
   | None -> Error (`Msg "unknown unikernel")
   | Some unikernel ->
-    let block_devices = use_blocks t.block_devices name unikernel false in
+    let block_devices = use_blocks ?dev_zvol:t.dev_zvol t.block_devices name unikernel false in
     let unikernels = Vmm_trie.remove name t.unikernels in
     let t' = { t with block_devices ; unikernels } in
     report_unikernels t' name;
@@ -180,10 +188,10 @@ let check_unikernel t name unikernel =
     List.fold_left (fun r (block, dev, _sector_size) ->
         let* () = r in
         let bl = match dev with Some b -> b | None -> block in
-        if String.starts_with ~prefix:"/dev/zvol" bl then
+        let block_name = Name.block_name name bl in
+        if zvol_allowed t.dev_zvol block_name then
           Ok ()
         else
-          let block_name = Name.block_name name bl in
           match find_block t block_name with
           | None ->
             Error (`Msg (Fmt.str "block device %s not found" (Name.to_string block_name)))

src/vmm_resources.mli

@@ -18,11 +18,12 @@ type t = private {
   policies : Policy.t Vmm_trie.t ;
   block_devices : (int * bool) Vmm_trie.t ;
   unikernels : Unikernel.t Vmm_trie.t ;
+  dev_zvol : Name.Path.t option ;
 }
 
 
 (** [empty] is the empty tree. *)
-val empty : t
+val empty : Name.Path.t option -> t
 
 (** [find_unikernel t name] is either [Some unikernel] or [None]. *)
 val find_unikernel : t -> Name.t -> Unikernel.t option

src/vmm_vmmd.ml

@@ -108,11 +108,14 @@ let killall t create =
 let empty = {
   console_counter = 1L ;
   stats_counter = 1L ;
-  resources = Vmm_resources.empty ;
+  resources = Vmm_resources.empty None ;
   waiters = String_map.empty ;
   restarting = String_set.empty ;
 }
 
+let allow_dev_zvol t dev_zvol =
+  { t with resources = Vmm_resources.empty dev_zvol }
+
 let init_block_devices t =
   match Vmm_unix.find_block_devices () with
   | Error (`Msg msg) ->

src/vmm_vmmd.mli

@@ -6,6 +6,8 @@ type 'a t
 
 val empty : 'a t
 
+val allow_dev_zvol : 'a t -> Name.Path.t option -> 'a t
+
 val init_block_devices : 'a t -> 'a t
 
 val waiter : 'a t -> Name.t -> 'a t * 'a option