Quoting Pavel Machek (pavel@ucw.cz ):
quoted text > On Wed 2008-03-26 13:05:43, Serge E. Hallyn wrote:
> > (This is identical to the version I sent on Mar 19 in response to
> > the comments by Daniel Hokka Zakrisson, which are the last
> > comments I've gotten.)
> >
> > Implement a cgroup to track and enforce open and mknod restrictions on device
> > files. A device cgroup associates a device access whitelist with each
> > cgroup. A whitelist entry has 4 fields. 'type' is a (all), c (char), or
> > b (block). 'all' means it applies to all types and all major and minor
> > numbers. Major and minor are either an integer or * for all.
> > Access is a composition of r (read), w (write), and m (mknod).
> >
> > The root device cgroup starts with rwm to 'all'. A child devcg gets
> > a copy of the parent. Admins can then remove devices from the
> > whitelist or add new entries. A child cgroup can never receive a
> > device access which is denied its parent. However when a device
> > access is removed from a parent it will not also be removed from the
> > child(ren).
> >
> > An entry is added using devices.allow, and removed using
> > devices.deny. For instance
> >
> > echo 'c 1:3 mr' > /cgroups/1/devices.allow
> >
> > allows cgroup 1 to read and mknod the device usually known as
> > /dev/null. Doing
> >
> > echo a > /cgroups/1/devices.deny
>
> Can't you use selinux or something?
No. At the moment SELinux can't authorize based on type/major:minor. I
would like to add that support later on, but even when I do, folks such
as the openvz folks do not want to rely on any security modules.
quoted text > Or just fix the userland as this is for old-udev compatibility, only?
Until the part of Miklos' user mounts patches go in which enforces MNT_NODEV
on mounts made by someone who is !capable(CAP_MKNOD), using capability bounding
sets is completely inadequate.
quoted text > The interface is ugly...
What's ugly about it? How could we clean it up?
quoted text > > diff --git a/include/linux/cgroup_subsys.h b/include/linux/cgroup_subsys.h
> > index 1ddebfc..e287745 100644
> > --- a/include/linux/cgroup_subsys.h
> > +++ b/include/linux/cgroup_subsys.h
> > @@ -42,3 +42,9 @@ SUBSYS(mem_cgroup)
> > #endif
> >
> > /* */
> > +
> > +#ifdef CONFIG_CGROUP_DEVICE
> > +SUBSYS(devices)
> > +#endif
> > +
> > +/* */
>
> I don't know what this is, but it does not look like C...
Huh?
-serge
--
unsubscribe notice To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
majordomo@vger.kernel.org
More majordomo info at
http://vger.kernel.org/majordomo-info.html
Please read the FAQ at
http://www.tux.org/lkml/ Messages in current thread:
Re: [PATCH 1/1] cgroups: implement device whitelist (v6) , Serge E. Hallyn , (Mon Mar 31, 10:00 am)
