Re: [PATCH 1/1] devices cgroup: allow mkfifo

From: Andrew Morton
Date: Thu Dec 11 2008 - 22:12:32 EST


On Thu, 11 Dec 2008 09:50:27 -0600 "Serge E. Hallyn" <serue@xxxxxxxxxx> wrote:

> The devcgroup_inode_permission() hook in the devices whitelist
> cgroup has always bypassed access checks on fifos. But the
> mknod hook did not. The devices whitelist is only about block
> and char devices, and fifos can't even be added to the whitelist,
> so fifos can't be created at all except by tasks which have 'a'
> in their whitelist (meaning they have access to all devices).
>
> Fix the behavior by bypassing access checks to mkfifo (and mksock).
>
> (Thanks, Daniel, for finding this)
>
> Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
> Reviewed-by: Li Zefan <lizf@xxxxxxxxxxxxxx>
> ---
> security/device_cgroup.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 5ba7870..df9d491 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -513,6 +513,9 @@ int devcgroup_inode_mknod(int mode, dev_t dev)
> struct dev_cgroup *dev_cgroup;
> struct dev_whitelist_item *wh;
>
> + if (!S_ISBLK(mode) && !S_ISCHR(mode))
> + return 0;
> +
> rcu_read_lock();
>
> dev_cgroup = task_devcgroup(current);

hm. I'd looked at your description and decided this was 2.6.29 material.

But you think it's for 2.6.28 and even for 2.6.27. How come?

(iow, your changelog sucked :)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/