diff --git a/src/agent/rustjail/src/cgroups/fs/mod.rs b/src/agent/rustjail/src/cgroups/fs/mod.rs index 55aefed87..7f41cb4dd 100644 --- a/src/agent/rustjail/src/cgroups/fs/mod.rs +++ b/src/agent/rustjail/src/cgroups/fs/mod.rs @@ -489,63 +489,61 @@ lazy_static! { }; pub static ref DEFAULT_ALLOWED_DEVICES: Vec = { - let mut v = Vec::new(); + vec![ + // all mknod to all char devices + LinuxDeviceCgroup { + allow: true, + r#type: "c".to_string(), + major: Some(WILDCARD), + minor: Some(WILDCARD), + access: "m".to_string(), + }, - // all mknod to all char devices - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "c".to_string(), - major: Some(WILDCARD), - minor: Some(WILDCARD), - access: "m".to_string(), - }); + // all mknod to all block devices + LinuxDeviceCgroup { + allow: true, + r#type: "b".to_string(), + major: Some(WILDCARD), + minor: Some(WILDCARD), + access: "m".to_string(), + }, - // all mknod to all block devices - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "b".to_string(), - major: Some(WILDCARD), - minor: Some(WILDCARD), - access: "m".to_string(), - }); + // all read/write/mknod to char device /dev/console + LinuxDeviceCgroup { + allow: true, + r#type: "c".to_string(), + major: Some(5), + minor: Some(1), + access: "rwm".to_string(), + }, - // all read/write/mknod to char device /dev/console - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "c".to_string(), - major: Some(5), - minor: Some(1), - access: "rwm".to_string(), - }); + // all read/write/mknod to char device /dev/pts/ + LinuxDeviceCgroup { + allow: true, + r#type: "c".to_string(), + major: Some(136), + minor: Some(WILDCARD), + access: "rwm".to_string(), + }, - // all read/write/mknod to char device /dev/pts/ - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "c".to_string(), - major: Some(136), - minor: Some(WILDCARD), - access: "rwm".to_string(), - }); + // all read/write/mknod to char device /dev/ptmx + LinuxDeviceCgroup { + allow: true, + r#type: "c".to_string(), + major: Some(5), + minor: Some(2), + access: "rwm".to_string(), + }, - // all read/write/mknod to char device /dev/ptmx - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "c".to_string(), - major: Some(5), - minor: Some(2), - access: "rwm".to_string(), - }); - - // all read/write/mknod to char device /dev/net/tun - v.push(LinuxDeviceCgroup { - allow: true, - r#type: "c".to_string(), - major: Some(10), - minor: Some(200), - access: "rwm".to_string(), - }); - - v + // all read/write/mknod to char device /dev/net/tun + LinuxDeviceCgroup { + allow: true, + r#type: "c".to_string(), + major: Some(10), + minor: Some(200), + access: "rwm".to_string(), + }, + ] }; } diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs index 0cfc5e75c..25be015e0 100644 --- a/src/agent/rustjail/src/container.rs +++ b/src/agent/rustjail/src/container.rs @@ -132,62 +132,62 @@ lazy_static! { }; pub static ref DEFAULT_DEVICES: Vec = { - let mut v = Vec::new(); - v.push(LinuxDevice { - path: "/dev/null".to_string(), - r#type: "c".to_string(), - major: 1, - minor: 3, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v.push(LinuxDevice { - path: "/dev/zero".to_string(), - r#type: "c".to_string(), - major: 1, - minor: 5, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v.push(LinuxDevice { - path: "/dev/full".to_string(), - r#type: String::from("c"), - major: 1, - minor: 7, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v.push(LinuxDevice { - path: "/dev/tty".to_string(), - r#type: "c".to_string(), - major: 5, - minor: 0, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v.push(LinuxDevice { - path: "/dev/urandom".to_string(), - r#type: "c".to_string(), - major: 1, - minor: 9, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v.push(LinuxDevice { - path: "/dev/random".to_string(), - r#type: "c".to_string(), - major: 1, - minor: 8, - file_mode: Some(0o666), - uid: Some(0xffffffff), - gid: Some(0xffffffff), - }); - v + vec![ + LinuxDevice { + path: "/dev/null".to_string(), + r#type: "c".to_string(), + major: 1, + minor: 3, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + LinuxDevice { + path: "/dev/zero".to_string(), + r#type: "c".to_string(), + major: 1, + minor: 5, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + LinuxDevice { + path: "/dev/full".to_string(), + r#type: String::from("c"), + major: 1, + minor: 7, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + LinuxDevice { + path: "/dev/tty".to_string(), + r#type: "c".to_string(), + major: 5, + minor: 0, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + LinuxDevice { + path: "/dev/urandom".to_string(), + r#type: "c".to_string(), + major: 1, + minor: 9, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + LinuxDevice { + path: "/dev/random".to_string(), + r#type: "c".to_string(), + major: 1, + minor: 8, + file_mode: Some(0o666), + uid: Some(0xffffffff), + gid: Some(0xffffffff), + }, + ] }; }