Quoting Aristeu Rozanski (aris@xxxxxxxxxx): > The original model of device_cgroup is having a whitelist where all the > allowed devices are listed. The problem with this approach is that is > impossible to have the case of allowing everything but few devices. > > The reason for that lies in the way the whitelist is handled internally: > since there's only a whitelist, the "all devices" entry would have to be > removed and replaced by the entire list of possible devices but the ones > that are being denied. Since dev_t is 32 bits long, representing the allowed > devices as a bitfield is not memory efficient. > > This patch replaces the "whitelist" by a "exceptions" list and the default > policy is kept as "deny_all" variable in dev_cgroup structure. > > The current interface determines that whenever "a" is written to devices.allow > or devices.deny, the entry masking all devices will be added or removed, > respectively. This behavior is kept and it's what will determine the default > policy: > > # cat devices.list > a *:* rwm > # echo a >devices.deny > # cat devices.list > # echo a >devices.allow > # cat devices.list > a *:* rwm > > The interface is also preserved. For example, if one wants to block only access > to /dev/null: > # ls -l /dev/null > crw-rw-rw- 1 root root 1, 3 Jul 24 16:17 /dev/null > # echo a >devices.allow > # echo "c 1:3 rwm" >devices.deny > # cat /dev/null > cat: /dev/null: Operation not permitted > # echo >/dev/null > bash: /dev/null: Operation not permitted > # mknod /tmp/null c 1 3 > mknod: /tmp/null: Operation not permitted > # echo "c 1:3 r" >devices.allow > # cat /dev/null > # echo >/dev/null > bash: /dev/null: Operation not permitted > # mknod /tmp/null c 1 3 > mknod: /tmp/null: Operation not permitted > # echo "c 1:3 rw" >devices.allow > # echo >/dev/null > # cat /dev/null > # mknod /tmp/null c 1 3 > mknod: /tmp/null: Operation not permitted > # echo "c 1:3 rwm" >devices.allow > # echo >/dev/null > # cat /dev/null > # mknod /tmp/null c 1 3 > # > > v2: > - stop using simple_strtoul() > - fix checkpatch warnings > - rename deny_all to behavior > - updated documentation > - added new files to cgroupfs to better reflect the internal state > > Documentation/cgroups/devices.txt | 73 ++++-- > security/device_cgroup.c | 443 +++++++++++++++++++++++--------------- > 2 files changed, 333 insertions(+), 183 deletions(-) > > -- > Aristeu Thanks, Aristeu, very nice. -serge -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
