Re: [PATCH] device_cgroup: check if exception removal is allowed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Serge Hallyn <serge.hallyn@ubuntu.com>
To: Aristeu Rozanski <aris@redhat.com>
Cc: cgroups@vger.kernel.org, Tejun Heo <tj@kernel.org>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	Li Zefan <lizefan@huawei.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH] device_cgroup: check if exception removal is allowed
Date: Mon, 28 Apr 2014 20:30:03 +0000	[thread overview]
Message-ID: <20140428203002.GA26218@ubuntumail> (raw)
In-Reply-To: <20140424193254.GR29214@redhat.com>

Quoting Aristeu Rozanski (aris@redhat.com):
> In a scenario when the child cgroup is trying to remove an exception
> which will effectively add more access rights, verify if the parent's
> rules allow it.
> 
> Cc: Tejun Heo <tj@kernel.org>
> Cc: Serge Hallyn <serge.hallyn@canonical.com>
> Cc: Li Zefan <lizefan@huawei.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>

Thanks, this looks good.  (Though I'm going based on the comment of
match_exception_partial() in the comment cleanup patch, as the tree
I'm looking at doesn't yet have that fn;  still, looks good)

Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

> ---
>  security/device_cgroup.c |   36 +++++++++++++++++++++++++++++++++---
>  1 files changed, 33 insertions(+), 3 deletions(-)
> 
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index b9048dc..abbe0b2 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -463,6 +463,32 @@ static int parent_has_perm(struct dev_cgroup *childcg,
>  	return verify_new_ex(parent, ex, childcg->behavior);
>  }
>  
> +/*
> + * parent_allows_removal - check if the parent cgroup allows an exception to
> + *			   be removed
> + * @childcg: child cgroup from where the exception will be removed
> + * @ex: exception being removed
> + */
> +static bool parent_allows_removal(struct dev_cgroup *childcg,
> +				  struct dev_exception_item *ex)
> +{
> +	struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css));
> +
> +	if (!parent)
> +		return true;
> +
> +	if (childcg->behavior == DEVCG_DEFAULT_DENY)
> +		/* It's always allowed to remove access to devices */
> +		return true;
> +
> +	/*
> +	 * Make sure you're not removing part or a whole exception existing in
> +	 * the parent cgroup
> +	 */
> +	return !match_exception_partial(&parent->exceptions, ex->type,
> +					ex->major, ex->minor, ex->access);
> +}
> +
>  /**
>   * may_allow_all - checks if it's possible to change the behavior to
>   *		   allow based on parent's rules.
> @@ -698,17 +724,21 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
>  
>  	switch (filetype) {
>  	case DEVCG_ALLOW:
> -		if (!parent_has_perm(devcgroup, &ex))
> -			return -EPERM;
>  		/*
>  		 * If the default policy is to allow by default, try to remove
>  		 * an matching exception instead. And be silent about it: we
>  		 * don't want to break compatibility
>  		 */
>  		if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
> +			/* Check if the parent allows removing it first */
> +			if (!parent_allows_removal(devcgroup, &ex))
> +				return -EPERM;
>  			dev_exception_rm(devcgroup, &ex);
> -			return 0;
> +			break;
>  		}
> +
> +		if (!parent_has_perm(devcgroup, &ex))
> +			return -EPERM;
>  		rc = dev_exception_add(devcgroup, &ex);
>  		break;
>  	case DEVCG_DENY:
> -- 
> 1.7.1
>

next prev parent reply	other threads:[~2014-04-28 20:30 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-24 19:32 [PATCH] device_cgroup: check if exception removal is allowed Aristeu Rozanski
2014-04-28 20:30 ` Serge Hallyn [this message]
     [not found] ` <20140424193254.GR29214-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-05-02 15:29   ` Tejun Heo
     [not found]     ` <20140502152930.GF10204-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2014-05-05 15:14       ` [PATCH v2] " Aristeu Rozanski
2014-05-05 15:16         ` Tejun Heo
2014-05-05 15:18           ` [PATCH v3] " Aristeu Rozanski
     [not found]             ` <20140505151858.GL29214-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-05-05 15:21               ` Tejun Heo
2014-05-05 18:46             ` Serge Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140428203002.GA26218@ubuntumail \
    --to=serge.hallyn@ubuntu.com \
    --cc=aris@redhat.com \
    --cc=cgroups@vger.kernel.org \
    --cc=lizefan@huawei.com \
    --cc=serge.hallyn@canonical.com \
    --cc=stable@vger.kernel.org \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.