Re: [PATCH 1/1] devices cgroup: allow mkfifo
From: Li Zefan
Date: Wed Dec 10 2008 - 19:58:37 EST
CC: Andrew
Serge E. Hallyn wrote:
> The devcgroup_inode_permission() hook in the devices whitelist
> cgroup has always bypassed access checks on fifos. But the
> mknod hook did not. The devices whitelist is only about block
> and char devices, and fifos can't even be added to the whitelist,
> so fifos can't be created at all except by tasks which have 'a'
> in their whitelist (meaning they have access to all devices).
>
> Fix the behavior by bypassing access checks to mkfifo.
>
It also bypasses checks to mksock. Should backport this patch?
Reviewed-by: Li Zefan <lizf@xxxxxxxxxxxxxx>
> Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
> ---
> security/device_cgroup.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 5ba7870..df9d491 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -513,6 +513,9 @@ int devcgroup_inode_mknod(int mode, dev_t dev)
> struct dev_cgroup *dev_cgroup;
> struct dev_whitelist_item *wh;
>
> + if (!S_ISBLK(mode) && !S_ISCHR(mode))
> + return 0;
> +
> rcu_read_lock();
>
> dev_cgroup = task_devcgroup(current);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/