Re: [RFC] cgroups: implement device whitelist lsm (v2)

From: Paul Menage
Date: Fri Mar 14 2008 - 05:18:27 EST


On Wed, Mar 12, 2008 at 8:27 PM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote:
> Implement a cgroup using the LSM interface to enforce mknod and open
> on device files.
>
> This implements a simple device access whitelist. A whitelist entry
> has 4 fields. 'type' is a (all), c (char), or b (block). 'all' means it
> applies to all types, all major numbers, and all minor numbers. Major and
> minor are obvious. Access is a composition of r (read), w (write), and
> m (mknod).
>
> The root devcgroup starts with rwm to 'all'. A child devcg gets a copy
> of the parent. Admins can then add and remove devices to the whitelist.
> Once CAP_HOST_ADMIN is introduced it will be needed to add entries as
> well or remove entries from another cgroup, though just CAP_SYS_ADMIN
> will suffice to remove entries for your own group.
>
> An entry is added by doing "echo <type> <maj> <min> <access>" > devcg.allow,
> for instance:
>
> echo b 7 0 mrw > /cgroups/1/devcg.allow
>
> An entry is removed by doing likewise into devcg.deny. Since this is a
> pure whitelist, not acls, you can only remove entries which exist in the
> whitelist. You must explicitly
>
> echo a 0 0 mrw > /cgroups/1/devcg.deny
>
> to remove the "allow all" entry which is automatically inherited from
> the root cgroup.

In keeping with the naming convention for control groups, "devices"
would be better than "devcg".

Paul
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/