Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog

From: Christian Brauner
Date: Mon Sep 11 2023 - 18:00:04 EST

Next message: Vlastimil Babka: "Re: [PATCH] mm: page_alloc: fix cma pageblock was stolen in rmqueue fallback"
Previous message: Phil Auld: "Re: [External] Re: [PATCH 0/2] Fix nohz_full vs rt bandwidth"
In reply to: Michael Weiß: "Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> So are OK with the checks here?

I'm ok with figuring out whether we can do this nicely, yes.

> > Because right now device access management seems its own form of
> > mandatory access control.
>
> I'm currently testing an updated version which has incorporated the locking
> changes already mention by Alex and the change which avoids setting SB_I_NODEV
> in fs/super.c.

Not having to hack around SB_I_NODEV would be pretty crucial imho. It's
a core security assumption so we need to integrate with it nicely.

Next message: Vlastimil Babka: "Re: [PATCH] mm: page_alloc: fix cma pageblock was stolen in rmqueue fallback"
Previous message: Phil Auld: "Re: [External] Re: [PATCH 0/2] Fix nohz_full vs rt bandwidth"
In reply to: Michael Weiß: "Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]