linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Aristeu Rozanski <aris@redhat.com>
Cc: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
	Tejun Heo <tj@kernel.org>, Li Zefan <lizefan@huawei.com>,
	James Morris <jmorris@namei.org>,
	Pavel Emelyanov <xemul@openvz.org>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup
Date: Wed, 5 Sep 2012 03:27:56 +0000	[thread overview]
Message-ID: <20120905032756.GF13310@mail.hallyn.com> (raw)
In-Reply-To: <20120904143421.692197560@napanee.usersys.redhat.com>

Quoting Aristeu Rozanski (aris@redhat.com):
> Internally device_cgroup now uses a default rule (behavior) and an exception
> list and this interface reflects it.
> 
> The new files, devices.behavior ('allow' or 'deny') and devices.exceptions map
> directly to the internal state.
> 
> Also, update documentation about the new interface.
> 
> Cc: Tejun Heo <tj@kernel.org>
> Cc: Li Zefan <lizefan@huawei.com>
> Cc: James Morris <jmorris@namei.org>
> Cc: Pavel Emelyanov <xemul@openvz.org>
> Cc: Serge Hallyn <serge.hallyn@canonical.com>

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>

> Signed-off-by: Aristeu Rozanski <aris@redhat.com>
> 
> ---
>  Documentation/cgroups/devices.txt |   73 ++++++++++++++++++++++++++++----------
>  security/device_cgroup.c          |   63 +++++++++++++++++++++++++++-----
>  2 files changed, 107 insertions(+), 29 deletions(-)
> 
> --- a/security/device_cgroup.c	2012-08-30 11:53:54.214675713 -0400
> +++ b/security/device_cgroup.c	2012-08-30 11:53:54.227682064 -0400
> @@ -214,6 +214,8 @@ static void devcgroup_destroy(struct cgr
>  #define DEVCG_ALLOW 1
>  #define DEVCG_DENY 2
>  #define DEVCG_LIST 3
> +#define DEVCG_BEHAVIOR 4
> +#define DEVCG_EXCEPTIONS 5
>  
>  #define MAJMINLEN 13
>  #define ACCLEN 4
> @@ -249,11 +251,25 @@ static void set_majmin(char *str, unsign
>  		sprintf(str, "%u", m);
>  }
>  
> +static void __devcg_seq_list_exceptions(struct dev_cgroup *devcg,
> +					struct seq_file *m)
> +{
> +	struct dev_exception_item *ex;
> +	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
> +
> +	list_for_each_entry_rcu(ex, &devcg->exceptions, list) {
> +		set_access(acc, ex->access);
> +		set_majmin(maj, ex->major);
> +		set_majmin(min, ex->minor);
> +		seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
> +			   maj, min, acc);
> +	}
> +}
> +
>  static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
>  				struct seq_file *m)
>  {
>  	struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
> -	struct dev_exception_item *ex;
>  	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
>  
>  	rcu_read_lock();
> @@ -269,20 +285,37 @@ static int devcgroup_seq_read(struct cgr
>  		set_majmin(min, ~0);
>  		seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
>  			   maj, min, acc);
> -	} else {
> -		list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
> -			set_access(acc, ex->access);
> -			set_majmin(maj, ex->major);
> -			set_majmin(min, ex->minor);
> -			seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
> -				   maj, min, acc);
> -		}
> -	}
> +	} else
> +		__devcg_seq_list_exceptions(devcgroup, m);
> +
>  	rcu_read_unlock();
>  
>  	return 0;
>  }
>  
> +static int devcg_seq_read_behavior(struct cgroup *cgroup,
> +				   struct cftype *cft, struct seq_file *m)
> +{
> +	struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
> +
> +	if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW)
> +		seq_printf(m, "allow\n");
> +	else
> +		seq_printf(m, "deny\n");
> +
> +	return 0;
> +}
> +
> +static int devcg_seq_read_exceptions(struct cgroup *cgroup,
> +				     struct cftype *cft, struct seq_file *m)
> +{
> +	struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
> +
> +	__devcg_seq_list_exceptions(devcgroup, m);
> +
> +	return 0;
> +}
> +
>  /**
>   * may_access - verifies if a new exception is part of what is allowed
>   *		by a dev cgroup based on the default policy +
> @@ -521,6 +554,16 @@ static struct cftype dev_cgroup_files[]
>  		.read_seq_string = devcgroup_seq_read,
>  		.private = DEVCG_LIST,
>  	},
> +	{
> +		.name = "behavior",
> +		.read_seq_string = devcg_seq_read_behavior,
> +		.private = DEVCG_BEHAVIOR,
> +	},
> +	{
> +		.name = "exceptions",
> +		.read_seq_string = devcg_seq_read_exceptions,
> +		.private = DEVCG_EXCEPTIONS,
> +	},
>  	{ }	/* terminate */
>  };
>  
> --- a/Documentation/cgroups/devices.txt	2012-06-18 14:33:03.913651049 -0400
> +++ b/Documentation/cgroups/devices.txt	2012-08-30 12:20:46.258720000 -0400
> @@ -3,37 +3,65 @@ Device Whitelist Controller
>  1. Description:
>  
>  Implement a cgroup to track and enforce open and mknod restrictions
> -on device files.  A device cgroup associates a device access
> -whitelist with each cgroup.  A whitelist entry has 4 fields.
> -'type' is a (all), c (char), or b (block).  'all' means it applies
> -to all types and all major and minor numbers.  Major and minor are
> -either an integer or * for all.  Access is a composition of r
> -(read), w (write), and m (mknod).
> -
> -The root device cgroup starts with rwm to 'all'.  A child device
> -cgroup gets a copy of the parent.  Administrators can then remove
> -devices from the whitelist or add new entries.  A child cgroup can
> +on device files.  A device cgroup associates a device access default
> +behavior and a exception list with each cgroup.  A exception entry
> +has 4 fields.  'type' is a (all), c (char), or b (block).  'all'
> +means it applies to all types and all major and minor numbers.
> +Major and minor are either an integer or * for all.  Access is a
> +composition of r (read), w (write), and m (mknod).  The behavior
> +can be set to 'allow' or 'deny' and determines what's the default
> +action if a matching exception is not found.
> +
> +The root device cgroup starts with default behavior 'allow'.  A
> +child device cgroup gets a copy of the parent.  Administrators can
> +then add exceptions or change the behavior.  A child cgroup can
>  never receive a device access which is denied by its parent.  However
>  when a device access is removed from a parent it will not also be
>  removed from the child(ren).
>  
>  2. User Interface
>  
> -An entry is added using devices.allow, and removed using
> -devices.deny.  For instance
> +First determine what's the current behavior by reading
> +'devices.behavior':
>  
> -	echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow
> +	# cat /sys/fs/cgroup/1/devices.behavior
> +	allow
>  
> -allows cgroup 1 to read and mknod the device usually known as
> -/dev/null.  Doing
> +This means the default action is to allow everything.  You can switch
> +the behavior by writing 'a' on the opposite file:
>  
> -	echo a > /sys/fs/cgroup/1/devices.deny
> +	# echo 'a' > /sys/fs/cgroup/1/devices.deny
> +	# cat /sys/fs/cgroup/1/behavior
> +	deny
> +	# echo 'a' > /sys/fs/cgroup/1/devices.allow
> +	# cat /sys/fs/cgroup/1/behavior
> +	allow
>  
> -will remove the default 'a *:* rwm' entry. Doing
> +Every time the behavior changes, the exception list is cleared.
> +To add an exception, write a rule on the opposite file:
>  
> -	echo a > /sys/fs/cgroup/1/devices.allow
> +	# echo 'a' > /sys/fs/cgroup/1/devices.allow
> +	# echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.deny
>  
> -will add the 'a *:* rwm' entry to the whitelist.
> +So the default behavior is to allow everything but mknod and read
> +on /dev/null file.  The file 'devices.exceptions' contains the
> +current list of exceptions:
> +
> +	# cat /sys/fs/cgroup/1/devices.exceptions
> +	c 1:3 mr
> +
> +To remove an exception, write the same rule in the opposite file:
> +
> +	# echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow
> +
> +Now the exceptions list will be empty.  It's also possible to change
> +an exception entry::
> +
> +	# cat /sys/fs/cgroup/1/devices.exceptions
> +	c 1:3 rm
> +	# echo 'c 1:3 m' > /sys/fs/cgroup/1/devices.allow
> +	# cat /sys/fs/cgroup/1/devices.exceptions
> +	c 1:3 r
>  
>  3. Security
>  
> @@ -50,3 +78,10 @@ task to a new cgroup.  (Again we'll prob
>  
>  A cgroup may not be granted more permissions than the cgroup's
>  parent has.
> +
> +4. Compatibility
> +
> +Previous versions of device cgroup operated using a whitelist.  The
> +old interface (devices.allow, devices.deny and devices.list) is still
> +supported but users are advised to replace devices.list usage by
> +devices.behavior and devices.exceptions.
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

  reply	other threads:[~2012-09-05  3:27 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-04 14:34 [PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list Aristeu Rozanski
2012-09-04 14:34 ` [PATCH v2 1/6] device_cgroup: add "behavior" in dev_cgroup structure Aristeu Rozanski
2012-09-05  3:00   ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 2/6] device_cgroup: introduce dev_whitelist_clean() Aristeu Rozanski
2012-09-05  3:03   ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 3/6] device_cgroup: convert device_cgroup internally to policy + exceptions Aristeu Rozanski
2012-09-05  3:09   ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 4/6] device_cgroup: stop using simple_strtoul() Aristeu Rozanski
2012-09-05  3:22   ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 5/6] device_cgroup: rename whitelist to exception list Aristeu Rozanski
2012-09-05  3:24   ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup Aristeu Rozanski
2012-09-05  3:27   ` Serge E. Hallyn [this message]
2012-09-05  3:30 ` [PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list Serge E. Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120905032756.GF13310@mail.hallyn.com \
    --to=serge@hallyn.com \
    --cc=akpm@linux-foundation.org \
    --cc=aris@redhat.com \
    --cc=cgroups@vger.kernel.org \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizefan@huawei.com \
    --cc=serge.hallyn@canonical.com \
    --cc=tj@kernel.org \
    --cc=xemul@openvz.org \
    --subject='Re: [PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).