Re: [PATCH] cgroup: fix device deny of DEV_ALL

From: Amos Kong
Date: Mon May 21 2012 - 22:14:33 EST

Next message: Linus Torvalds: "Re: 3.4+ dcache BUG."
Previous message: Michael Neuling: "Re: linux-next: PowerPC boot failures in next-20120521"
In reply to: Amos Kong: "Re: [PATCH] cgroup: fix device deny of DEV_ALL"
Next in thread: Serge Hallyn: "Re: [PATCH] cgroup: fix device deny of DEV_ALL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 22/05/12 09:54, Serge E. Hallyn wrote:

Quoting Li Zefan (lizefan@xxxxxxxxxx):
Serge Hallyn wrote:

Quoting Amos Kong (akong@xxxxxxxxxx):
@ mount -t cgroup -o devices none /cgroup
@ mkdir /cgroups/devices
@ ls -l /dev/dm-3
brw-rw----. 1 root disk 253, 3 Oct 14 19:03 /dev/dm-3
@ echo 'b 253:3 rw'> devices.deny
but I can still write it by 'dd if=/dev/zero of=/dev/dm-3'

In devcgroup_create(), we create a new whitelist, and add first
entry which type is 'DEV_ALL'. Execute "# echo 'b 253:3 rw'>
devices.deny", dev_whitelist_rm() will update access of first
entry to 1(m), but type of first entry is still 'DEV_ALL'.

Hi,

thanks. You raise a good point, but I think it needs some discussion.

What happens right now is that if you have the 'a *:* rwm' entry and do
echo 'b 253:3 rw'> devices.deny, then when you next cat devices.list you
will still see the 'a *:* rwm' entry. So there should be no confusion
over why the dd succeeds.

You didn't remove the entry, because there
was no match echoed into devices.deny.

Hi serge,

My patch updated type,major,minor, it _equals to_ remove 'a *:* rwm' and add 'b *:* m'
It's a clear logic, why need to manually remove 'a *:* rwm'?

No, you'll see the entry has been changed to 'a *:* m', so I think we
should at least fix this.

Yikes. Agreed. That's a bug.

which bug? should not update walk->access if wh->access is not 'rwm'?

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index c43a332..e619a34 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -145,7 +145,8 @@ static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup,
continue;

remove:
- walk->access &= ~wh->access;
+ if (walk->type != DEV_ALL || wh->access == ACC_MASK)
+ walk->access &= ~wh->access;
if (!walk->access) {
list_del_rcu(&walk->list);
kfree_rcu(walk, rcu);

--
Amos.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: 3.4+ dcache BUG."
Previous message: Michael Neuling: "Re: linux-next: PowerPC boot failures in next-20120521"
In reply to: Amos Kong: "Re: [PATCH] cgroup: fix device deny of DEV_ALL"
Next in thread: Serge Hallyn: "Re: [PATCH] cgroup: fix device deny of DEV_ALL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]