On Mon, May 05, 2014 at 11:18:59AM -0400, Aristeu Rozanski wrote: > [PATCH v3 1/2] device_cgroup: check if exception removal is allowed > > When the device cgroup hierarchy was introduced in > bd2953ebbb53 - devcg: propagate local changes down the hierarchy > > a specific case was overlooked. Consider the hierarchy bellow: > > A default policy: ALLOW, exceptions will deny access > \ > B default policy: ALLOW, exceptions will deny access > > There's no need to verify when an new exception is added to B because > in this case exceptions will deny access to further devices, which is > always fine. Hierarchy in device cgroup only makes sure B won't have > more access than A. > > But when an exception is removed (by writing devices.allow), it isn't > checked if the user is in fact removing an inherited exception from A, > thus giving more access to B. > > Example: > > # echo 'a' >A/devices.allow > # echo 'c 1:3 rw' >A/devices.deny > # echo $$ >A/B/tasks > # echo >/dev/null > -bash: /dev/null: Operation not permitted > # echo 'c 1:3 w' >A/B/devices.allow > # echo >/dev/null > # > > This shouldn't be allowed and this patch fixes it by making sure to never allow > exceptions in this case to be removed if the exception is partially or fully > present on the parent. > > v3: missing '*' in function description > v2: improved log message and formatting fixes > > Cc: cgroups@xxxxxxxxxxxxxxx > Cc: Tejun Heo <tj@xxxxxxxxxx> > Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> > Cc: Li Zefan <lizefan@xxxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Aristeu Rozanski <arozansk@xxxxxxxxxx> Applied to cgroup/for-3.15-fixes. Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html