Re: [PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup
Quoting Aristeu Rozanski (a...@redhat.com):
> Internally device_cgroup now uses a default rule (behavior) and an exception
> list and this interface reflects it.
>
> The new files, devices.behavior ('allow' or 'deny') and devices.exceptions map
> directly to the internal state.
>
> Also, update documentation about the new interface.
>
> Cc: Tejun Heo
> Cc: Li Zefan
> Cc: James Morris
> Cc: Pavel Emelyanov
> Cc: Serge Hallyn
Acked-by: Serge Hallyn
> Signed-off-by: Aristeu Rozanski
>
> ---
> Documentation/cgroups/devices.txt | 73
> --
> security/device_cgroup.c | 63 +++-
> 2 files changed, 107 insertions(+), 29 deletions(-)
>
> --- a/security/device_cgroup.c2012-08-30 11:53:54.214675713 -0400
> +++ b/security/device_cgroup.c2012-08-30 11:53:54.227682064 -0400
> @@ -214,6 +214,8 @@ static void devcgroup_destroy(struct cgr
> #define DEVCG_ALLOW 1
> #define DEVCG_DENY 2
> #define DEVCG_LIST 3
> +#define DEVCG_BEHAVIOR 4
> +#define DEVCG_EXCEPTIONS 5
>
> #define MAJMINLEN 13
> #define ACCLEN 4
> @@ -249,11 +251,25 @@ static void set_majmin(char *str, unsign
> sprintf(str, "%u", m);
> }
>
> +static void __devcg_seq_list_exceptions(struct dev_cgroup *devcg,
> + struct seq_file *m)
> +{
> + struct dev_exception_item *ex;
> + char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
> +
> + list_for_each_entry_rcu(ex, &devcg->exceptions, list) {
> + set_access(acc, ex->access);
> + set_majmin(maj, ex->major);
> + set_majmin(min, ex->minor);
> + seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
> +maj, min, acc);
> + }
> +}
> +
> static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
> struct seq_file *m)
> {
> struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
> - struct dev_exception_item *ex;
> char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
>
> rcu_read_lock();
> @@ -269,20 +285,37 @@ static int devcgroup_seq_read(struct cgr
> set_majmin(min, ~0);
> seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
> maj, min, acc);
> - } else {
> - list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
> - set_access(acc, ex->access);
> - set_majmin(maj, ex->major);
> - set_majmin(min, ex->minor);
> - seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
> -maj, min, acc);
> - }
> - }
> + } else
> + __devcg_seq_list_exceptions(devcgroup, m);
> +
> rcu_read_unlock();
>
> return 0;
> }
>
> +static int devcg_seq_read_behavior(struct cgroup *cgroup,
> +struct cftype *cft, struct seq_file *m)
> +{
> + struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
> +
> + if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW)
> + seq_printf(m, "allow\n");
> + else
> + seq_printf(m, "deny\n");
> +
> + return 0;
> +}
> +
> +static int devcg_seq_read_exceptions(struct cgroup *cgroup,
> + struct cftype *cft, struct seq_file *m)
> +{
> + struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
> +
> + __devcg_seq_list_exceptions(devcgroup, m);
> +
> + return 0;
> +}
> +
> /**
> * may_access - verifies if a new exception is part of what is allowed
> * by a dev cgroup based on the default policy +
> @@ -521,6 +554,16 @@ static struct cftype dev_cgroup_files[]
> .read_seq_string = devcgroup_seq_read,
> .private = DEVCG_LIST,
> },
> + {
> + .name = "behavior",
> + .read_seq_string = devcg_seq_read_behavior,
> + .private = DEVCG_BEHAVIOR,
> + },
> + {
> + .name = "exceptions",
> + .read_seq_string = devcg_seq_read_exceptions,
> + .private = DEVCG_EXCEPTIONS,
> + },
> { } /* terminate */
> };
>
> --- a/Documentation/cgroups/devices.txt 2012-06-18 14:33:03.913651049
> -0400
> +++ b/Documentation/cgroups/devices.txt 2012-08-30 12:20:46.25872
> -0400
> @@ -3,37 +3,65 @@ Device Whitelist Controller
> 1. Description:
>
> Implement a cgroup to track and enforce open and mknod restrictions
> -on device files. A device cgroup associates a device access
> -whitelist with each cgroup. A whitelist entry has 4 fields.
> -'type' is a (all), c (char), or b (block). 'all' means it applies
> -to all types and all major and minor numbers. Major and minor are
> -either an integer or * for all. Access is a composition of r
> -(read), w (write), and m (mknod).
> -
> -The root device cgroup starts with rwm to 'all'
[PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup
Internally device_cgroup now uses a default rule (behavior) and an exception
list and this interface reflects it.
The new files, devices.behavior ('allow' or 'deny') and devices.exceptions map
directly to the internal state.
Also, update documentation about the new interface.
Cc: Tejun Heo
Cc: Li Zefan
Cc: James Morris
Cc: Pavel Emelyanov
Cc: Serge Hallyn
Signed-off-by: Aristeu Rozanski
---
Documentation/cgroups/devices.txt | 73 --
security/device_cgroup.c | 63 +++-
2 files changed, 107 insertions(+), 29 deletions(-)
--- a/security/device_cgroup.c 2012-08-30 11:53:54.214675713 -0400
+++ b/security/device_cgroup.c 2012-08-30 11:53:54.227682064 -0400
@@ -214,6 +214,8 @@ static void devcgroup_destroy(struct cgr
#define DEVCG_ALLOW 1
#define DEVCG_DENY 2
#define DEVCG_LIST 3
+#define DEVCG_BEHAVIOR 4
+#define DEVCG_EXCEPTIONS 5
#define MAJMINLEN 13
#define ACCLEN 4
@@ -249,11 +251,25 @@ static void set_majmin(char *str, unsign
sprintf(str, "%u", m);
}
+static void __devcg_seq_list_exceptions(struct dev_cgroup *devcg,
+ struct seq_file *m)
+{
+ struct dev_exception_item *ex;
+ char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
+
+ list_for_each_entry_rcu(ex, &devcg->exceptions, list) {
+ set_access(acc, ex->access);
+ set_majmin(maj, ex->major);
+ set_majmin(min, ex->minor);
+ seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
+ maj, min, acc);
+ }
+}
+
static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
struct seq_file *m)
{
struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
- struct dev_exception_item *ex;
char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
rcu_read_lock();
@@ -269,20 +285,37 @@ static int devcgroup_seq_read(struct cgr
set_majmin(min, ~0);
seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
maj, min, acc);
- } else {
- list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
- set_access(acc, ex->access);
- set_majmin(maj, ex->major);
- set_majmin(min, ex->minor);
- seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
- maj, min, acc);
- }
- }
+ } else
+ __devcg_seq_list_exceptions(devcgroup, m);
+
rcu_read_unlock();
return 0;
}
+static int devcg_seq_read_behavior(struct cgroup *cgroup,
+ struct cftype *cft, struct seq_file *m)
+{
+ struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
+
+ if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW)
+ seq_printf(m, "allow\n");
+ else
+ seq_printf(m, "deny\n");
+
+ return 0;
+}
+
+static int devcg_seq_read_exceptions(struct cgroup *cgroup,
+struct cftype *cft, struct seq_file *m)
+{
+ struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
+
+ __devcg_seq_list_exceptions(devcgroup, m);
+
+ return 0;
+}
+
/**
* may_access - verifies if a new exception is part of what is allowed
* by a dev cgroup based on the default policy +
@@ -521,6 +554,16 @@ static struct cftype dev_cgroup_files[]
.read_seq_string = devcgroup_seq_read,
.private = DEVCG_LIST,
},
+ {
+ .name = "behavior",
+ .read_seq_string = devcg_seq_read_behavior,
+ .private = DEVCG_BEHAVIOR,
+ },
+ {
+ .name = "exceptions",
+ .read_seq_string = devcg_seq_read_exceptions,
+ .private = DEVCG_EXCEPTIONS,
+ },
{ } /* terminate */
};
--- a/Documentation/cgroups/devices.txt 2012-06-18 14:33:03.913651049 -0400
+++ b/Documentation/cgroups/devices.txt 2012-08-30 12:20:46.25872 -0400
@@ -3,37 +3,65 @@ Device Whitelist Controller
1. Description:
Implement a cgroup to track and enforce open and mknod restrictions
-on device files. A device cgroup associates a device access
-whitelist with each cgroup. A whitelist entry has 4 fields.
-'type' is a (all), c (char), or b (block). 'all' means it applies
-to all types and all major and minor numbers. Major and minor are
-either an integer or * for all. Access is a composition of r
-(read), w (write), and m (mknod).
-
-The root device cgroup starts with rwm to 'all'. A child device
-cgroup gets a copy of the parent. Administrators can then remove
-devices from the whitelist or add new entries. A child cgroup can
+on device files. A device cgroup associates a device access default
+behavior and a exception list with
