Quoting Li Zefan (lizefan@xxxxxxxxxx):Serge Hallyn wrote:
Quoting Amos Kong (akong@xxxxxxxxxx):@ mount -t cgroup -o devices none /cgroup
@ mkdir /cgroups/devices
@ ls -l /dev/dm-3
brw-rw----. 1 root disk 253, 3 Oct 14 19:03 /dev/dm-3
@ echo 'b 253:3 rw'> devices.deny
but I can still write it by 'dd if=/dev/zero of=/dev/dm-3'
In devcgroup_create(), we create a new whitelist, and add first
entry which type is 'DEV_ALL'. Execute "# echo 'b 253:3 rw'>
devices.deny", dev_whitelist_rm() will update access of first
entry to 1(m), but type of first entry is still 'DEV_ALL'.
Hi,
thanks. You raise a good point, but I think it needs some discussion.
What happens right now is that if you have the 'a *:* rwm' entry and do
echo 'b 253:3 rw'> devices.deny, then when you next cat devices.list you
will still see the 'a *:* rwm' entry. So there should be no confusion
over why the dd succeeds.
You didn't remove the entry, because there
was no match echoed into devices.deny.
No, you'll see the entry has been changed to 'a *:* m', so I think we
should at least fix this.
Yikes. Agreed. That's a bug.