Re: [PATCH 0/9] Devices accessibility control group (v4)

From: Pavel Emelyanov
Date: Fri Mar 07 2008 - 04:07:42 EST

Next message: Andi Kleen: "[PATCH] [0/13] General DMA zone rework"
Previous message: David Rientjes: "Re: [PATCH] Add cgroup support for enabling controllers at boot time(v2)"
In reply to: Pavel Machek: "Re: [PATCH 0/9] Devices accessibility control group (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pavel Machek wrote:
> On Thu 2008-03-06 11:36:22, Pavel Emelyanov wrote:
>> Greg KH wrote:
>>> On Wed, Mar 05, 2008 at 09:15:25PM -0600, Serge E. Hallyn wrote:
>>>> Quoting Greg KH (greg@xxxxxxxxx):
>>>>> On Wed, Mar 05, 2008 at 08:23:35PM +0300, Pavel Emelyanov wrote:
>>>>>> Changes from v3:
>>>>>> * Ported on 2.6.25-rc3-mm1;
>>>>>> * Re-splitted into smaller pieces;
>>>>>> * Added more comments to tricky places.
>>>>>>
>>>>>> This controller allows to tune the devices accessibility by tasks,
>>>>>> i.e. grant full access for /dev/null, /dev/zero etc, grant read-only
>>>>>> access to IDE devices and completely hide SCSI disks.
>>>>> From within the kernel itself? The kernel should not be keeping track
>>>>> of the mode of devices, that's what the filesystem holding /dev is for.
>>>>> Those modes change all the time depending on the device plugged in, and
>>>>> the user using the "console". Why should the kernel need to worry about
>>>>> any of this?
>>>> These are distinct from the permissions on device files. No matter what
>>>> the permissions on the device files, a task in a devcg cgroup which
>>>> isn't allowed write to chardev 4:64 will not be able to write to
>>>> /dev/ttyS0.
>>> Then why not do that from userspace with a different /dev, or with a
>>> LSM?
>> Different dev is not suitable, since task may still call mknod to
>> create device it needs and use it. This is not about comfortable
>> use, this is about security.
>
> And you may still take out mknod capability...

Sure we can. In that case we can pre-create only alowed devices for a container
and be happy, but this is not a flexible way of doing things. The main problem is
that udev will stop working in such a container. Patching one is not an option
either, for the reasons I have described before.

Many virtualization functionality we're submitting can be achieved via proper
userpace modifications, but we want to be able to run old software (from old
and even historic distributions) inside containers, so we have to make this
at the kernel level.

Thanks,
Pavel
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "[PATCH] [0/13] General DMA zone rework"
Previous message: David Rientjes: "Re: [PATCH] Add cgroup support for enabling controllers at boot time(v2)"
In reply to: Pavel Machek: "Re: [PATCH 0/9] Devices accessibility control group (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]