login
Login
/
Register
Search
Search this site:
Forums
News
Blogs
Features
Site
Home
»
Mailing list archives
»
linux-kernel
»
2008
»
March
»
27
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
view
thread
Previous message: [
thread
] [
date
] [
author
]
Next message: [
thread
] [
date
] [
author
]
[view in full thread]
From: Andrew Morton
Subject:
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
Date: Thursday, March 27, 2008 - 2:04 am
On Wed, 26 Mar 2008 13:05:43 -0500 "Serge E. Hallyn" <serue@us.ibm.com> wrote:
quoted text
> (This is identical to the version I sent on Mar 19 in response to > the comments by Daniel Hokka Zakrisson, which are the last > comments I've gotten.) > > Implement a cgroup to track and enforce open and mknod restrictions on device > files. A device cgroup associates a device access whitelist with each > cgroup. A whitelist entry has 4 fields. 'type' is a (all), c (char), or > b (block). 'all' means it applies to all types and all major and minor > numbers. Major and minor are either an integer or * for all. > Access is a composition of r (read), w (write), and m (mknod). > > The root device cgroup starts with rwm to 'all'. A child devcg gets > a copy of the parent. Admins can then remove devices from the > whitelist or add new entries. A child cgroup can never receive a > device access which is denied its parent. However when a device > access is removed from a parent it will not also be removed from the > child(ren). > > An entry is added using devices.allow, and removed using > devices.deny. For instance > > echo 'c 1:3 mr' > /cgroups/1/devices.allow > > allows cgroup 1 to read and mknod the device usually known as > /dev/null. Doing > > echo a > /cgroups/1/devices.deny > > will remove the default 'a *:* mrw' entry. > > CAP_SYS_ADMIN is needed to change permissions or move another task > to a new cgroup. A cgroup may not be granted more permissions than > the cgroup's parent has. Any task can move itself between cgroups. > This won't be sufficient, but we can decide the best way to > adequately restrict movement later.
The above should be in Documentation/cgroups.txt?
quoted text
> +static char *print_whitelist(struct dev_cgroup *devcgroup, int *len) > +{ > + char *buf, *s, acc[4]; > + struct dev_whitelist_item *wh; > + int ret; > + int count = 0; > + char maj[10], min[10]; > + > + buf = kmalloc(4096, GFP_KERNEL); > + if (!buf) > + return ERR_PTR(-ENOMEM); > + s = buf; > + *s = '__PLACEHOLDER__1_'; > + *len = 0; > + > + spin_lock(&devcgroup->lock); > + list_for_each_entry(wh, &devcgroup->whitelist, list) { > + set_access(acc, wh->access); > + set_majmin(maj, 10, wh->major); > + set_majmin(min, 10, wh->minor); > + ret = snprintf(s, 4095-(s-buf), "%c %s:%s %s\n", > + type_to_char(wh->type), maj, min, acc); > + if (s+ret >= buf+4095) { > + kfree(buf); > + buf = ERR_PTR(-ENOMEM); > + break; > + } > + s += ret; > + *len += ret; > + count++; > + } > + spin_unlock(&devcgroup->lock); > + > + return buf; > +}
That's rather ugly-looking. We can't use seq_file here? --
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to
majordomo@vger.kernel.org
More majordomo info at
http://vger.kernel.org/majordomo-info.html
Please read the FAQ at
http://www.tux.org/lkml/
Previous message: [
thread
] [
date
] [
author
]
Next message: [
thread
] [
date
] [
author
]
Messages in current thread:
[PATCH 1/1] cgroups: implement device whitelist (v6)
, Serge E. Hallyn
, (Wed Mar 26, 11:05 am)
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
, Andrew Morton
, (Thu Mar 27, 2:04 am)
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
, Li Zefan
, (Thu Mar 27, 2:07 am)
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
, Serge E. Hallyn
, (Thu Mar 27, 9:24 am)
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
, Paul Menage
, (Thu Mar 27, 9:40 am)
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
, Serge E. Hallyn
, (Thu Mar 27, 10:37 am)
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
, Pavel Machek
, (Sat Mar 29, 1:18 am)
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
, Serge E. Hallyn
, (Mon Mar 31, 7:00 am)
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
, Pavel Machek
, (Tue Apr 1, 5:32 am)
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
, Alexey Dobriyan
, (Tue Apr 1, 5:34 am)
Re: [PATCH 1/1] cgroups: implement device whitelist (v6)
, Serge E. Hallyn
, (Tue Apr 1, 3:07 pm)
Navigation
Mailing list archives
Recent posts
Popular discussions
linux-kernel
:
Michael Trimarchi
Re: [PATCH] VFS: make file->f_pos access atomic on 32bit arch
Miklos Szeredi
[patch 14/15] vfs: more path_permission() conversions
Serge E. Hallyn
Re: [RFC v5][PATCH 7/8] Infrastructure for shared objects
Bernd Schmidt
Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Takashi Iwai
[PATCH 2/2] input: Add LED support to Synaptics device
git
:
Junio C Hamano
Re: mingw, windows, crlf/lf, and git
Eyvind Bernhardsen
Re: Where has "git ls-remote" reference pattern matching gone?
Shawn O. Pearce
Re: Switching from CVS to GIT
Todd Zullinger
Re: [PATCH 2/2] send-email: rfc2047-quote subject lines with non-ascii characters
Santi Béjar
Re: How to use git-fmt-merge-msg?
linux-netdev
:
Ramkrishna Vepa
[net-2.6 PATCH 1/10] Neterion: New driver: Driver help file
Mark Anthony
invitation / inquiry
Ingo Molnar
Re: [PATCH 08/16] dma-debug: add core checking functions
David Miller
Re: [PATCH 1/3] f_phonet: dev_kfree_skb instead of dev_kfree_skb_any in TX callback
Sascha Hauer
[PATCH 03/12] fec: do not typedef struct types
git-commits-head
:
Linux Kernel Mailing List
amba: struct device - replace bus_id with dev_name(), dev_set_name()
Linux Kernel Mailing List
MIPS: Yosemite: Convert SMP startup lock to arch spinlock.
Linux Kernel Mailing List
ARM: S5PC100: IRQ and timer
Linux Kernel Mailing List
davinci: edma: clear interrupt status for interrupt enabled channels only
Linux Kernel Mailing List
x86, mm, kprobes: fault.c, simplify notify_page_fault()
openbsd-misc
:
Daniel A. Ramaley
Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
Matthias Kilian
Re: can't get vesa @ 1280x800 or nv
Tobias Ulmer
Re: Problem after upgrade 4.5 to 4.6: ERR M
Philip Guenther
Re: SIGCHLD and libpthread.so
J.C. Roberts
Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
Colocation donated by:
Syndicate