From: "Serge E. Hallyn" <serge@hallyn.com>
To: Aristeu Rozanski <aris@redhat.com>
Cc: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
Tejun Heo <tj@kernel.org>, Li Zefan <lizefan@huawei.com>,
James Morris <jmorris@namei.org>,
Pavel Emelyanov <xemul@openvz.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup
Date: Wed, 5 Sep 2012 03:27:56 +0000 [thread overview]
Message-ID: <20120905032756.GF13310@mail.hallyn.com> (raw)
In-Reply-To: <20120904143421.692197560@napanee.usersys.redhat.com>
Quoting Aristeu Rozanski (aris@redhat.com):
> Internally device_cgroup now uses a default rule (behavior) and an exception
> list and this interface reflects it.
>
> The new files, devices.behavior ('allow' or 'deny') and devices.exceptions map
> directly to the internal state.
>
> Also, update documentation about the new interface.
>
> Cc: Tejun Heo <tj@kernel.org>
> Cc: Li Zefan <lizefan@huawei.com>
> Cc: James Morris <jmorris@namei.org>
> Cc: Pavel Emelyanov <xemul@openvz.org>
> Cc: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
> Signed-off-by: Aristeu Rozanski <aris@redhat.com>
>
> ---
> Documentation/cgroups/devices.txt | 73 ++++++++++++++++++++++++++++----------
> security/device_cgroup.c | 63 +++++++++++++++++++++++++++-----
> 2 files changed, 107 insertions(+), 29 deletions(-)
>
> --- a/security/device_cgroup.c 2012-08-30 11:53:54.214675713 -0400
> +++ b/security/device_cgroup.c 2012-08-30 11:53:54.227682064 -0400
> @@ -214,6 +214,8 @@ static void devcgroup_destroy(struct cgr
> #define DEVCG_ALLOW 1
> #define DEVCG_DENY 2
> #define DEVCG_LIST 3
> +#define DEVCG_BEHAVIOR 4
> +#define DEVCG_EXCEPTIONS 5
>
> #define MAJMINLEN 13
> #define ACCLEN 4
> @@ -249,11 +251,25 @@ static void set_majmin(char *str, unsign
> sprintf(str, "%u", m);
> }
>
> +static void __devcg_seq_list_exceptions(struct dev_cgroup *devcg,
> + struct seq_file *m)
> +{
> + struct dev_exception_item *ex;
> + char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
> +
> + list_for_each_entry_rcu(ex, &devcg->exceptions, list) {
> + set_access(acc, ex->access);
> + set_majmin(maj, ex->major);
> + set_majmin(min, ex->minor);
> + seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
> + maj, min, acc);
> + }
> +}
> +
> static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
> struct seq_file *m)
> {
> struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
> - struct dev_exception_item *ex;
> char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
>
> rcu_read_lock();
> @@ -269,20 +285,37 @@ static int devcgroup_seq_read(struct cgr
> set_majmin(min, ~0);
> seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
> maj, min, acc);
> - } else {
> - list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
> - set_access(acc, ex->access);
> - set_majmin(maj, ex->major);
> - set_majmin(min, ex->minor);
> - seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
> - maj, min, acc);
> - }
> - }
> + } else
> + __devcg_seq_list_exceptions(devcgroup, m);
> +
> rcu_read_unlock();
>
> return 0;
> }
>
> +static int devcg_seq_read_behavior(struct cgroup *cgroup,
> + struct cftype *cft, struct seq_file *m)
> +{
> + struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
> +
> + if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW)
> + seq_printf(m, "allow\n");
> + else
> + seq_printf(m, "deny\n");
> +
> + return 0;
> +}
> +
> +static int devcg_seq_read_exceptions(struct cgroup *cgroup,
> + struct cftype *cft, struct seq_file *m)
> +{
> + struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
> +
> + __devcg_seq_list_exceptions(devcgroup, m);
> +
> + return 0;
> +}
> +
> /**
> * may_access - verifies if a new exception is part of what is allowed
> * by a dev cgroup based on the default policy +
> @@ -521,6 +554,16 @@ static struct cftype dev_cgroup_files[]
> .read_seq_string = devcgroup_seq_read,
> .private = DEVCG_LIST,
> },
> + {
> + .name = "behavior",
> + .read_seq_string = devcg_seq_read_behavior,
> + .private = DEVCG_BEHAVIOR,
> + },
> + {
> + .name = "exceptions",
> + .read_seq_string = devcg_seq_read_exceptions,
> + .private = DEVCG_EXCEPTIONS,
> + },
> { } /* terminate */
> };
>
> --- a/Documentation/cgroups/devices.txt 2012-06-18 14:33:03.913651049 -0400
> +++ b/Documentation/cgroups/devices.txt 2012-08-30 12:20:46.258720000 -0400
> @@ -3,37 +3,65 @@ Device Whitelist Controller
> 1. Description:
>
> Implement a cgroup to track and enforce open and mknod restrictions
> -on device files. A device cgroup associates a device access
> -whitelist with each cgroup. A whitelist entry has 4 fields.
> -'type' is a (all), c (char), or b (block). 'all' means it applies
> -to all types and all major and minor numbers. Major and minor are
> -either an integer or * for all. Access is a composition of r
> -(read), w (write), and m (mknod).
> -
> -The root device cgroup starts with rwm to 'all'. A child device
> -cgroup gets a copy of the parent. Administrators can then remove
> -devices from the whitelist or add new entries. A child cgroup can
> +on device files. A device cgroup associates a device access default
> +behavior and a exception list with each cgroup. A exception entry
> +has 4 fields. 'type' is a (all), c (char), or b (block). 'all'
> +means it applies to all types and all major and minor numbers.
> +Major and minor are either an integer or * for all. Access is a
> +composition of r (read), w (write), and m (mknod). The behavior
> +can be set to 'allow' or 'deny' and determines what's the default
> +action if a matching exception is not found.
> +
> +The root device cgroup starts with default behavior 'allow'. A
> +child device cgroup gets a copy of the parent. Administrators can
> +then add exceptions or change the behavior. A child cgroup can
> never receive a device access which is denied by its parent. However
> when a device access is removed from a parent it will not also be
> removed from the child(ren).
>
> 2. User Interface
>
> -An entry is added using devices.allow, and removed using
> -devices.deny. For instance
> +First determine what's the current behavior by reading
> +'devices.behavior':
>
> - echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow
> + # cat /sys/fs/cgroup/1/devices.behavior
> + allow
>
> -allows cgroup 1 to read and mknod the device usually known as
> -/dev/null. Doing
> +This means the default action is to allow everything. You can switch
> +the behavior by writing 'a' on the opposite file:
>
> - echo a > /sys/fs/cgroup/1/devices.deny
> + # echo 'a' > /sys/fs/cgroup/1/devices.deny
> + # cat /sys/fs/cgroup/1/behavior
> + deny
> + # echo 'a' > /sys/fs/cgroup/1/devices.allow
> + # cat /sys/fs/cgroup/1/behavior
> + allow
>
> -will remove the default 'a *:* rwm' entry. Doing
> +Every time the behavior changes, the exception list is cleared.
> +To add an exception, write a rule on the opposite file:
>
> - echo a > /sys/fs/cgroup/1/devices.allow
> + # echo 'a' > /sys/fs/cgroup/1/devices.allow
> + # echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.deny
>
> -will add the 'a *:* rwm' entry to the whitelist.
> +So the default behavior is to allow everything but mknod and read
> +on /dev/null file. The file 'devices.exceptions' contains the
> +current list of exceptions:
> +
> + # cat /sys/fs/cgroup/1/devices.exceptions
> + c 1:3 mr
> +
> +To remove an exception, write the same rule in the opposite file:
> +
> + # echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow
> +
> +Now the exceptions list will be empty. It's also possible to change
> +an exception entry::
> +
> + # cat /sys/fs/cgroup/1/devices.exceptions
> + c 1:3 rm
> + # echo 'c 1:3 m' > /sys/fs/cgroup/1/devices.allow
> + # cat /sys/fs/cgroup/1/devices.exceptions
> + c 1:3 r
>
> 3. Security
>
> @@ -50,3 +78,10 @@ task to a new cgroup. (Again we'll prob
>
> A cgroup may not be granted more permissions than the cgroup's
> parent has.
> +
> +4. Compatibility
> +
> +Previous versions of device cgroup operated using a whitelist. The
> +old interface (devices.allow, devices.deny and devices.list) is still
> +supported but users are advised to replace devices.list usage by
> +devices.behavior and devices.exceptions.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2012-09-05 3:27 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-04 14:34 [PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list Aristeu Rozanski
2012-09-04 14:34 ` [PATCH v2 1/6] device_cgroup: add "behavior" in dev_cgroup structure Aristeu Rozanski
2012-09-05 3:00 ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 2/6] device_cgroup: introduce dev_whitelist_clean() Aristeu Rozanski
2012-09-05 3:03 ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 3/6] device_cgroup: convert device_cgroup internally to policy + exceptions Aristeu Rozanski
2012-09-05 3:09 ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 4/6] device_cgroup: stop using simple_strtoul() Aristeu Rozanski
2012-09-05 3:22 ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 5/6] device_cgroup: rename whitelist to exception list Aristeu Rozanski
2012-09-05 3:24 ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup Aristeu Rozanski
2012-09-05 3:27 ` Serge E. Hallyn [this message]
2012-09-05 3:30 ` [PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120905032756.GF13310@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=akpm@linux-foundation.org \
--cc=aris@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=serge.hallyn@canonical.com \
--cc=tj@kernel.org \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).