[PATCH] devcgroup: fix odd behaviour when writing 'a' to devices.allow - Kernel

This is a discussion on [PATCH] devcgroup: fix odd behaviour when writing 'a' to devices.allow - Kernel ; # cat /devcg/devices.list a *:* rwm # echo a > devices.allow # cat /devcg/devices.list a *:* rwm a 0:0 rwm This is odd and maybe confusing. With this patch, writing 'a' to devices.allow will add 'a *:* rwm' to the ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [PATCH] devcgroup: fix odd behaviour when writing 'a' to devices.allow

  1. [PATCH] devcgroup: fix odd behaviour when writing 'a' to devices.allow

    # cat /devcg/devices.list
    a *:* rwm
    # echo a > devices.allow
    # cat /devcg/devices.list
    a *:* rwm
    a 0:0 rwm

    This is odd and maybe confusing. With this patch, writing 'a'
    to devices.allow will add 'a *:* rwm' to the whitelist.

    Also a few fixes and updates to the document.

    Signed-off-by: Li Zefan
    ---
    Documentation/controllers/devices.txt | 8 ++++++--
    security/device_cgroup.c | 2 ++
    2 files changed, 8 insertions(+), 2 deletions(-)

    diff --git a/Documentation/controllers/devices.txt b/Documentation/controllers/devices.txt
    index 4dcea42..7cc6e6a 100644
    --- a/Documentation/controllers/devices.txt
    +++ b/Documentation/controllers/devices.txt
    @@ -13,7 +13,7 @@ either an integer or * for all. Access is a composition of r
    The root device cgroup starts with rwm to 'all'. A child device
    cgroup gets a copy of the parent. Administrators can then remove
    devices from the whitelist or add new entries. A child cgroup can
    -never receive a device access which is denied its parent. However
    +never receive a device access which is denied by its parent. However
    when a device access is removed from a parent it will not also be
    removed from the child(ren).

    @@ -29,7 +29,11 @@ allows cgroup 1 to read and mknod the device usually known as

    echo a > /cgroups/1/devices.deny

    -will remove the default 'a *:* mrw' entry.
    +will remove the default 'a *:* rwm' entry. Doing
    +
    + echo a > /cgroups/1/devices.allow
    +
    +will add the 'a *:* rwm' entry to the whitelist.

    3. Security

    diff --git a/security/device_cgroup.c b/security/device_cgroup.c
    index baf3488..fd764a0 100644
    --- a/security/device_cgroup.c
    +++ b/security/device_cgroup.c
    @@ -382,6 +382,8 @@ static ssize_t devcgroup_access_write(struct cgroup *cgroup, struct cftype *cft,
    case 'a':
    wh.type = DEV_ALL;
    wh.access = ACC_MASK;
    + wh.major = ~0;
    + wh.minor = ~0;
    goto handle;
    case 'b':
    wh.type = DEV_BLOCK;
    --
    1.5.4.rc3
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  2. Re: [PATCH] devcgroup: fix odd behaviour when writing 'a' to devices.allow

    Quoting Li Zefan (lizf@cn.fujitsu.com):
    > # cat /devcg/devices.list
    > a *:* rwm
    > # echo a > devices.allow
    > # cat /devcg/devices.list
    > a *:* rwm
    > a 0:0 rwm
    >
    > This is odd and maybe confusing. With this patch, writing 'a'
    > to devices.allow will add 'a *:* rwm' to the whitelist.
    >
    > Also a few fixes and updates to the document.
    >
    > Signed-off-by: Li Zefan

    Acked-by: Serge Hallyn

    thanks,
    -serge

    > ---
    > Documentation/controllers/devices.txt | 8 ++++++--
    > security/device_cgroup.c | 2 ++
    > 2 files changed, 8 insertions(+), 2 deletions(-)
    >
    > diff --git a/Documentation/controllers/devices.txt b/Documentation/controllers/devices.txt
    > index 4dcea42..7cc6e6a 100644
    > --- a/Documentation/controllers/devices.txt
    > +++ b/Documentation/controllers/devices.txt
    > @@ -13,7 +13,7 @@ either an integer or * for all. Access is a composition of r
    > The root device cgroup starts with rwm to 'all'. A child device
    > cgroup gets a copy of the parent. Administrators can then remove
    > devices from the whitelist or add new entries. A child cgroup can
    > -never receive a device access which is denied its parent. However
    > +never receive a device access which is denied by its parent. However
    > when a device access is removed from a parent it will not also be
    > removed from the child(ren).
    >
    > @@ -29,7 +29,11 @@ allows cgroup 1 to read and mknod the device usually known as
    >
    > echo a > /cgroups/1/devices.deny
    >
    > -will remove the default 'a *:* mrw' entry.
    > +will remove the default 'a *:* rwm' entry. Doing
    > +
    > + echo a > /cgroups/1/devices.allow
    > +
    > +will add the 'a *:* rwm' entry to the whitelist.
    >
    > 3. Security
    >
    > diff --git a/security/device_cgroup.c b/security/device_cgroup.c
    > index baf3488..fd764a0 100644
    > --- a/security/device_cgroup.c
    > +++ b/security/device_cgroup.c
    > @@ -382,6 +382,8 @@ static ssize_t devcgroup_access_write(struct cgroup *cgroup, struct cftype *cft,
    > case 'a':
    > wh.type = DEV_ALL;
    > wh.access = ACC_MASK;
    > + wh.major = ~0;
    > + wh.minor = ~0;
    > goto handle;
    > case 'b':
    > wh.type = DEV_BLOCK;
    > --
    > 1.5.4.rc3
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/
+ Reply to Thread
« nfs client readdir caching issue? | [PATCH] UML - fix gcc ICEs and unresolved externs »