linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Aristeu Rozanski <aris@redhat.com>
To: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org
Cc: Tejun Heo <tj@kernel.org>, Li Zefan <lizefan@huawei.com>,
	James Morris <jmorris@namei.org>,
	Pavel Emelyanov <xemul@openvz.org>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup
Date: Tue, 04 Sep 2012 10:34:25 -0400	[thread overview]
Message-ID: <20120904143421.692197560@napanee.usersys.redhat.com> (raw)
In-Reply-To: <20120904143419.892872876@napanee.usersys.redhat.com>

[-- Attachment #1: new_files.patch --]
[-- Type: text/plain, Size: 7302 bytes --]

Internally device_cgroup now uses a default rule (behavior) and an exception
list and this interface reflects it.

The new files, devices.behavior ('allow' or 'deny') and devices.exceptions map
directly to the internal state.

Also, update documentation about the new interface.

Cc: Tejun Heo <tj@kernel.org>
Cc: Li Zefan <lizefan@huawei.com>
Cc: James Morris <jmorris@namei.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Aristeu Rozanski <aris@redhat.com>

---
 Documentation/cgroups/devices.txt |   73 ++++++++++++++++++++++++++++----------
 security/device_cgroup.c          |   63 +++++++++++++++++++++++++++-----
 2 files changed, 107 insertions(+), 29 deletions(-)

--- a/security/device_cgroup.c	2012-08-30 11:53:54.214675713 -0400
+++ b/security/device_cgroup.c	2012-08-30 11:53:54.227682064 -0400
@@ -214,6 +214,8 @@ static void devcgroup_destroy(struct cgr
 #define DEVCG_ALLOW 1
 #define DEVCG_DENY 2
 #define DEVCG_LIST 3
+#define DEVCG_BEHAVIOR 4
+#define DEVCG_EXCEPTIONS 5
 
 #define MAJMINLEN 13
 #define ACCLEN 4
@@ -249,11 +251,25 @@ static void set_majmin(char *str, unsign
 		sprintf(str, "%u", m);
 }
 
+static void __devcg_seq_list_exceptions(struct dev_cgroup *devcg,
+					struct seq_file *m)
+{
+	struct dev_exception_item *ex;
+	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
+
+	list_for_each_entry_rcu(ex, &devcg->exceptions, list) {
+		set_access(acc, ex->access);
+		set_majmin(maj, ex->major);
+		set_majmin(min, ex->minor);
+		seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
+			   maj, min, acc);
+	}
+}
+
 static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
 				struct seq_file *m)
 {
 	struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
-	struct dev_exception_item *ex;
 	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
 
 	rcu_read_lock();
@@ -269,20 +285,37 @@ static int devcgroup_seq_read(struct cgr
 		set_majmin(min, ~0);
 		seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
 			   maj, min, acc);
-	} else {
-		list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
-			set_access(acc, ex->access);
-			set_majmin(maj, ex->major);
-			set_majmin(min, ex->minor);
-			seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
-				   maj, min, acc);
-		}
-	}
+	} else
+		__devcg_seq_list_exceptions(devcgroup, m);
+
 	rcu_read_unlock();
 
 	return 0;
 }
 
+static int devcg_seq_read_behavior(struct cgroup *cgroup,
+				   struct cftype *cft, struct seq_file *m)
+{
+	struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
+
+	if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW)
+		seq_printf(m, "allow\n");
+	else
+		seq_printf(m, "deny\n");
+
+	return 0;
+}
+
+static int devcg_seq_read_exceptions(struct cgroup *cgroup,
+				     struct cftype *cft, struct seq_file *m)
+{
+	struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
+
+	__devcg_seq_list_exceptions(devcgroup, m);
+
+	return 0;
+}
+
 /**
  * may_access - verifies if a new exception is part of what is allowed
  *		by a dev cgroup based on the default policy +
@@ -521,6 +554,16 @@ static struct cftype dev_cgroup_files[]
 		.read_seq_string = devcgroup_seq_read,
 		.private = DEVCG_LIST,
 	},
+	{
+		.name = "behavior",
+		.read_seq_string = devcg_seq_read_behavior,
+		.private = DEVCG_BEHAVIOR,
+	},
+	{
+		.name = "exceptions",
+		.read_seq_string = devcg_seq_read_exceptions,
+		.private = DEVCG_EXCEPTIONS,
+	},
 	{ }	/* terminate */
 };
 
--- a/Documentation/cgroups/devices.txt	2012-06-18 14:33:03.913651049 -0400
+++ b/Documentation/cgroups/devices.txt	2012-08-30 12:20:46.258720000 -0400
@@ -3,37 +3,65 @@ Device Whitelist Controller
 1. Description:
 
 Implement a cgroup to track and enforce open and mknod restrictions
-on device files.  A device cgroup associates a device access
-whitelist with each cgroup.  A whitelist entry has 4 fields.
-'type' is a (all), c (char), or b (block).  'all' means it applies
-to all types and all major and minor numbers.  Major and minor are
-either an integer or * for all.  Access is a composition of r
-(read), w (write), and m (mknod).
-
-The root device cgroup starts with rwm to 'all'.  A child device
-cgroup gets a copy of the parent.  Administrators can then remove
-devices from the whitelist or add new entries.  A child cgroup can
+on device files.  A device cgroup associates a device access default
+behavior and a exception list with each cgroup.  A exception entry
+has 4 fields.  'type' is a (all), c (char), or b (block).  'all'
+means it applies to all types and all major and minor numbers.
+Major and minor are either an integer or * for all.  Access is a
+composition of r (read), w (write), and m (mknod).  The behavior
+can be set to 'allow' or 'deny' and determines what's the default
+action if a matching exception is not found.
+
+The root device cgroup starts with default behavior 'allow'.  A
+child device cgroup gets a copy of the parent.  Administrators can
+then add exceptions or change the behavior.  A child cgroup can
 never receive a device access which is denied by its parent.  However
 when a device access is removed from a parent it will not also be
 removed from the child(ren).
 
 2. User Interface
 
-An entry is added using devices.allow, and removed using
-devices.deny.  For instance
+First determine what's the current behavior by reading
+'devices.behavior':
 
-	echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow
+	# cat /sys/fs/cgroup/1/devices.behavior
+	allow
 
-allows cgroup 1 to read and mknod the device usually known as
-/dev/null.  Doing
+This means the default action is to allow everything.  You can switch
+the behavior by writing 'a' on the opposite file:
 
-	echo a > /sys/fs/cgroup/1/devices.deny
+	# echo 'a' > /sys/fs/cgroup/1/devices.deny
+	# cat /sys/fs/cgroup/1/behavior
+	deny
+	# echo 'a' > /sys/fs/cgroup/1/devices.allow
+	# cat /sys/fs/cgroup/1/behavior
+	allow
 
-will remove the default 'a *:* rwm' entry. Doing
+Every time the behavior changes, the exception list is cleared.
+To add an exception, write a rule on the opposite file:
 
-	echo a > /sys/fs/cgroup/1/devices.allow
+	# echo 'a' > /sys/fs/cgroup/1/devices.allow
+	# echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.deny
 
-will add the 'a *:* rwm' entry to the whitelist.
+So the default behavior is to allow everything but mknod and read
+on /dev/null file.  The file 'devices.exceptions' contains the
+current list of exceptions:
+
+	# cat /sys/fs/cgroup/1/devices.exceptions
+	c 1:3 mr
+
+To remove an exception, write the same rule in the opposite file:
+
+	# echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow
+
+Now the exceptions list will be empty.  It's also possible to change
+an exception entry::
+
+	# cat /sys/fs/cgroup/1/devices.exceptions
+	c 1:3 rm
+	# echo 'c 1:3 m' > /sys/fs/cgroup/1/devices.allow
+	# cat /sys/fs/cgroup/1/devices.exceptions
+	c 1:3 r
 
 3. Security
 
@@ -50,3 +78,10 @@ task to a new cgroup.  (Again we'll prob
 
 A cgroup may not be granted more permissions than the cgroup's
 parent has.
+
+4. Compatibility
+
+Previous versions of device cgroup operated using a whitelist.  The
+old interface (devices.allow, devices.deny and devices.list) is still
+supported but users are advised to replace devices.list usage by
+devices.behavior and devices.exceptions.


  parent reply	other threads:[~2012-09-04 14:34 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-04 14:34 [PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list Aristeu Rozanski
2012-09-04 14:34 ` [PATCH v2 1/6] device_cgroup: add "behavior" in dev_cgroup structure Aristeu Rozanski
2012-09-05  3:00   ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 2/6] device_cgroup: introduce dev_whitelist_clean() Aristeu Rozanski
2012-09-05  3:03   ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 3/6] device_cgroup: convert device_cgroup internally to policy + exceptions Aristeu Rozanski
2012-09-05  3:09   ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 4/6] device_cgroup: stop using simple_strtoul() Aristeu Rozanski
2012-09-05  3:22   ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 5/6] device_cgroup: rename whitelist to exception list Aristeu Rozanski
2012-09-05  3:24   ` Serge E. Hallyn
2012-09-04 14:34 ` Aristeu Rozanski [this message]
2012-09-05  3:27   ` [PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup Serge E. Hallyn
2012-09-05  3:30 ` [PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list Serge E. Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120904143421.692197560@napanee.usersys.redhat.com \
    --to=aris@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=cgroups@vger.kernel.org \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizefan@huawei.com \
    --cc=serge.hallyn@canonical.com \
    --cc=tj@kernel.org \
    --cc=xemul@openvz.org \
    --subject='Re: [PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).