Quoting Li Zefan (lizf@xxxxxxxxxxxxxx):
> devices.allow and devices.deny are write-only, and devices.list is read-only.
>
> Signed-off-by: Li Zefan <lizf@xxxxxxxxxxxxxx>
Yup that should be intuitive for people.
Acked-by: Serge Hallyn <serue@xxxxxxxxxx>
thanks,
-serge
> ---
> security/device_cgroup.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 3aacd0f..b13fbb8 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -439,16 +439,19 @@ static struct cftype dev_cgroup_files[] = {
> .name = "allow",
> .write_string = devcgroup_access_write,
> .private = DEVCG_ALLOW,
> + .mode = 0200,
> },
> {
> .name = "deny",
> .write_string = devcgroup_access_write,
> .private = DEVCG_DENY,
> + .mode = 0200,
> },
> {
> .name = "list",
> .read_seq_string = devcgroup_seq_read,
> .private = DEVCG_LIST,
> + .mode = 0444,
> },
> };
>
> -- 1.5.4.rc3
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
