config-linux: Deprecate device access denial

Separate allow/deny lists are specific to device controller existing only in cgroup v1. Current semantics for devices that don't match neither allow nor deny is confusing. cgroup v2 implements access control on the default hierarchy with BPF hooks. Follow the approach of systemd (refer to systemd.resource(5)) with DevicePolicy=strict, i.e. consider all devices denied by default and add only entries for devices that should be allowed. This will simplify the job for runtimes that use systemd for container cgroup configuration. For starters, mention that "allow" entries that don't stick to the this approach are deprecated. Next step would be removal of the "allow" attribute and implicit denial on all devices. Signed-off-by: Michal Koutný <[email protected]>
opencontainers · Jul 17, 2023 · bb837ae · bb837ae
1 parent 07dd1f4
commit bb837ae
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/config-linux.md b/config-linux.md
@@ -304,7 +304,8 @@ The runtime MUST apply entries in the listed order.
 
 Each entry has the following structure:
 
-* **`allow`** *(boolean, REQUIRED)* - whether the entry is allowed or denied.
+* **`allow`** *(boolean, OPTIONAL, **DEPRECATED**)* - whether the entry is allowed or denied.
+    Value of `false` is deprecated if `major,minor` is specified. Missing entry is interpretted as `true` -- relying on default denial for all devices.
 * **`type`** *(string, OPTIONAL)* - type of device: `a` (all), `c` (char), or `b` (block).
     Unset values mean "all", mapping to `a`.
 * **`major, minor`** *(int64, OPTIONAL)* - [major, minor numbers][devices] for the device.