lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 04 Jul 2008 13:54:15 +0800 From: Li Zefan <lizf@...fujitsu.com> To: Andrew Morton <akpm@...ux-foundation.org> CC: "Serge E. Hallyn" <serue@...ibm.com>, LKML <linux-kernel@...r.kernel.org> Subject: [PATCH] devcgroup: fix odd behaviour when writing 'a' to devices.allow # cat /devcg/devices.list a *:* rwm # echo a > devices.allow # cat /devcg/devices.list a *:* rwm a 0:0 rwm This is odd and maybe confusing. With this patch, writing 'a' to devices.allow will add 'a *:* rwm' to the whitelist. Also a few fixes and updates to the document. Signed-off-by: Li Zefan <lizf@...fujitsu.com> --- Documentation/controllers/devices.txt | 8 ++++++-- security/device_cgroup.c | 2 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Documentation/controllers/devices.txt b/Documentation/controllers/devices.txt index 4dcea42..7cc6e6a 100644 --- a/Documentation/controllers/devices.txt +++ b/Documentation/controllers/devices.txt @@ -13,7 +13,7 @@ either an integer or * for all. Access is a composition of r The root device cgroup starts with rwm to 'all'. A child device cgroup gets a copy of the parent. Administrators can then remove devices from the whitelist or add new entries. A child cgroup can -never receive a device access which is denied its parent. However +never receive a device access which is denied by its parent. However when a device access is removed from a parent it will not also be removed from the child(ren). @@ -29,7 +29,11 @@ allows cgroup 1 to read and mknod the device usually known as echo a > /cgroups/1/devices.deny -will remove the default 'a *:* mrw' entry. +will remove the default 'a *:* rwm' entry. Doing + + echo a > /cgroups/1/devices.allow + +will add the 'a *:* rwm' entry to the whitelist. 3. Security diff --git a/security/device_cgroup.c b/security/device_cgroup.c index baf3488..fd764a0 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -382,6 +382,8 @@ static ssize_t devcgroup_access_write(struct cgroup *cgroup, struct cftype *cft, case 'a': wh.type = DEV_ALL; wh.access = ACC_MASK; + wh.major = ~0; + wh.minor = ~0; goto handle; case 'b': wh.type = DEV_BLOCK; -- 1.5.4.rc3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists