Re: cgroup: denying device doesn't work with 'rw' mode string

[Amos Kong]

In devcgroup_create(), we create a new whitelist, and add first entry
which type is 'DEV_ALL'.
Execute "# echo 'b 253:3 rw' > devices/devices.deny",
dev_whitelist_rm() will update access
of first entry to 3, but type of first entry is also 'DEV_ALL'

.. static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup, ...) {
..      list_for_each_entry_safe(walk, tmp, &dev_cgroup->whitelist, list) {
..              if (walk->type == DEV_ALL)
..                      goto remove;

If the type is 'DEV_ALL', will try to remove it without checking major/minor/..

.. remove:
..              walk->access &= ~wh->access;

                access of first entry will be updated to 7(mrw) & ~4(w) = 3

..              if (!walk->access) {

                first entry will not be deleted, because walk->access is not 0

..                      list_del_rcu(&walk->list);
..                      kfree_rcu(walk, rcu);

Execute dd cmd to write device, __devcgroup_inode_permission() will be called.
The type of first list entry is 'DEV_ALL', just pass this permission checking.
(write operation will not be denied)

.. int __devcgroup_inode_permission(struct inode *inode, int mask) {
..         ....
..      dev_cgroup = task_devcgroup(current);
..      list_for_each_entry_rcu(wh, &dev_cgroup->whitelist, list) {
..              if (wh->type & DEV_ALL)
..                      goto found;

// If type is 'DEV_ALL', pass permission check

..                 ....
..              if ((mask & MAY_WRITE) && !(wh->access & ACC_WRITE))
..                      continue;
.. found:
..              rcu_read_unlock();
..              return 0;
..
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/