From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: Aristeu Rozanski <aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
James Morris <jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org>,
Pavel Emelyanov <xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>,
Serge Hallyn
<serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Subject: Re: [PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list
Date: Wed, 5 Sep 2012 03:30:02 +0000 [thread overview]
Message-ID: <20120905033002.GG13310@mail.hallyn.com> (raw)
In-Reply-To: <20120904143419.892872876-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
Quoting Aristeu Rozanski (aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
> The original model of device_cgroup is having a whitelist where all the
> allowed devices are listed. The problem with this approach is that is
> impossible to have the case of allowing everything but few devices.
>
> The reason for that lies in the way the whitelist is handled internally:
> since there's only a whitelist, the "all devices" entry would have to be
> removed and replaced by the entire list of possible devices but the ones
> that are being denied. Since dev_t is 32 bits long, representing the allowed
> devices as a bitfield is not memory efficient.
>
> This patch replaces the "whitelist" by a "exceptions" list and the default
> policy is kept as "deny_all" variable in dev_cgroup structure.
>
> The current interface determines that whenever "a" is written to devices.allow
> or devices.deny, the entry masking all devices will be added or removed,
> respectively. This behavior is kept and it's what will determine the default
> policy:
>
> # cat devices.list
> a *:* rwm
> # echo a >devices.deny
> # cat devices.list
> # echo a >devices.allow
> # cat devices.list
> a *:* rwm
>
> The interface is also preserved. For example, if one wants to block only access
> to /dev/null:
> # ls -l /dev/null
> crw-rw-rw- 1 root root 1, 3 Jul 24 16:17 /dev/null
> # echo a >devices.allow
> # echo "c 1:3 rwm" >devices.deny
> # cat /dev/null
> cat: /dev/null: Operation not permitted
> # echo >/dev/null
> bash: /dev/null: Operation not permitted
> # mknod /tmp/null c 1 3
> mknod: /tmp/null: Operation not permitted
> # echo "c 1:3 r" >devices.allow
> # cat /dev/null
> # echo >/dev/null
> bash: /dev/null: Operation not permitted
> # mknod /tmp/null c 1 3
> mknod: /tmp/null: Operation not permitted
> # echo "c 1:3 rw" >devices.allow
> # echo >/dev/null
> # cat /dev/null
> # mknod /tmp/null c 1 3
> mknod: /tmp/null: Operation not permitted
> # echo "c 1:3 rwm" >devices.allow
> # echo >/dev/null
> # cat /dev/null
> # mknod /tmp/null c 1 3
> #
>
> v2:
> - stop using simple_strtoul()
> - fix checkpatch warnings
> - rename deny_all to behavior
> - updated documentation
> - added new files to cgroupfs to better reflect the internal state
>
> Documentation/cgroups/devices.txt | 73 ++++--
> security/device_cgroup.c | 443 +++++++++++++++++++++++---------------
> 2 files changed, 333 insertions(+), 183 deletions(-)
>
> --
> Aristeu
Thanks, Aristeu, very nice.
-serge
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Aristeu Rozanski <aris@redhat.com>
Cc: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
Tejun Heo <tj@kernel.org>, Li Zefan <lizefan@huawei.com>,
James Morris <jmorris@namei.org>,
Pavel Emelyanov <xemul@openvz.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list
Date: Wed, 5 Sep 2012 03:30:02 +0000 [thread overview]
Message-ID: <20120905033002.GG13310@mail.hallyn.com> (raw)
In-Reply-To: <20120904143419.892872876@napanee.usersys.redhat.com>
Quoting Aristeu Rozanski (aris@redhat.com):
> The original model of device_cgroup is having a whitelist where all the
> allowed devices are listed. The problem with this approach is that is
> impossible to have the case of allowing everything but few devices.
>
> The reason for that lies in the way the whitelist is handled internally:
> since there's only a whitelist, the "all devices" entry would have to be
> removed and replaced by the entire list of possible devices but the ones
> that are being denied. Since dev_t is 32 bits long, representing the allowed
> devices as a bitfield is not memory efficient.
>
> This patch replaces the "whitelist" by a "exceptions" list and the default
> policy is kept as "deny_all" variable in dev_cgroup structure.
>
> The current interface determines that whenever "a" is written to devices.allow
> or devices.deny, the entry masking all devices will be added or removed,
> respectively. This behavior is kept and it's what will determine the default
> policy:
>
> # cat devices.list
> a *:* rwm
> # echo a >devices.deny
> # cat devices.list
> # echo a >devices.allow
> # cat devices.list
> a *:* rwm
>
> The interface is also preserved. For example, if one wants to block only access
> to /dev/null:
> # ls -l /dev/null
> crw-rw-rw- 1 root root 1, 3 Jul 24 16:17 /dev/null
> # echo a >devices.allow
> # echo "c 1:3 rwm" >devices.deny
> # cat /dev/null
> cat: /dev/null: Operation not permitted
> # echo >/dev/null
> bash: /dev/null: Operation not permitted
> # mknod /tmp/null c 1 3
> mknod: /tmp/null: Operation not permitted
> # echo "c 1:3 r" >devices.allow
> # cat /dev/null
> # echo >/dev/null
> bash: /dev/null: Operation not permitted
> # mknod /tmp/null c 1 3
> mknod: /tmp/null: Operation not permitted
> # echo "c 1:3 rw" >devices.allow
> # echo >/dev/null
> # cat /dev/null
> # mknod /tmp/null c 1 3
> mknod: /tmp/null: Operation not permitted
> # echo "c 1:3 rwm" >devices.allow
> # echo >/dev/null
> # cat /dev/null
> # mknod /tmp/null c 1 3
> #
>
> v2:
> - stop using simple_strtoul()
> - fix checkpatch warnings
> - rename deny_all to behavior
> - updated documentation
> - added new files to cgroupfs to better reflect the internal state
>
> Documentation/cgroups/devices.txt | 73 ++++--
> security/device_cgroup.c | 443 +++++++++++++++++++++++---------------
> 2 files changed, 333 insertions(+), 183 deletions(-)
>
> --
> Aristeu
Thanks, Aristeu, very nice.
-serge
next prev parent reply other threads:[~2012-09-05 3:30 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-04 14:34 [PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list Aristeu Rozanski
2012-09-04 14:34 ` [PATCH v2 1/6] device_cgroup: add "behavior" in dev_cgroup structure Aristeu Rozanski
[not found] ` <20120904143420.234142640-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-09-05 3:00 ` Serge E. Hallyn
2012-09-05 3:00 ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 2/6] device_cgroup: introduce dev_whitelist_clean() Aristeu Rozanski
[not found] ` <20120904143420.546524755-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-09-05 3:03 ` Serge E. Hallyn
2012-09-05 3:03 ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 3/6] device_cgroup: convert device_cgroup internally to policy + exceptions Aristeu Rozanski
2012-09-04 14:34 ` Aristeu Rozanski
[not found] ` <20120904143420.841275882-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-09-05 3:09 ` Serge E. Hallyn
2012-09-05 3:09 ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 4/6] device_cgroup: stop using simple_strtoul() Aristeu Rozanski
2012-09-04 14:34 ` Aristeu Rozanski
[not found] ` <20120904143421.144153057-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-09-05 3:22 ` Serge E. Hallyn
2012-09-05 3:22 ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 5/6] device_cgroup: rename whitelist to exception list Aristeu Rozanski
[not found] ` <20120904143421.423387352-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-09-05 3:24 ` Serge E. Hallyn
2012-09-05 3:24 ` Serge E. Hallyn
2012-09-04 14:34 ` [PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup Aristeu Rozanski
[not found] ` <20120904143421.692197560-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-09-05 3:27 ` Serge E. Hallyn
2012-09-05 3:27 ` Serge E. Hallyn
[not found] ` <20120904143419.892872876-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-09-05 3:30 ` Serge E. Hallyn [this message]
2012-09-05 3:30 ` [PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120905033002.GG13310@mail.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.