| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Jul 2008 12:25:46 -0500 From: "Serge E. Hallyn" <serue@...ibm.com> To: Li Zefan <lizf@...fujitsu.com> Cc: Andrew Morton <akpm@...ux-foundation.org>, LKML <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] devcgroup: fix odd behaviour when writing 'a' to devices.allow Quoting Li Zefan (lizf@...fujitsu.com): > # cat /devcg/devices.list > a *:* rwm > # echo a > devices.allow > # cat /devcg/devices.list > a *:* rwm > a 0:0 rwm > > This is odd and maybe confusing. With this patch, writing 'a' > to devices.allow will add 'a *:* rwm' to the whitelist. > > Also a few fixes and updates to the document. > > Signed-off-by: Li Zefan <lizf@...fujitsu.com> Acked-by: Serge Hallyn <serue@...ibm.com> thanks, -serge > --- > Documentation/controllers/devices.txt | 8 ++++++-- > security/device_cgroup.c | 2 ++ > 2 files changed, 8 insertions(+), 2 deletions(-) > > diff --git a/Documentation/controllers/devices.txt b/Documentation/controllers/devices.txt > index 4dcea42..7cc6e6a 100644 > --- a/Documentation/controllers/devices.txt > +++ b/Documentation/controllers/devices.txt > @@ -13,7 +13,7 @@ either an integer or * for all. Access is a composition of r > The root device cgroup starts with rwm to 'all'. A child device > cgroup gets a copy of the parent. Administrators can then remove > devices from the whitelist or add new entries. A child cgroup can > -never receive a device access which is denied its parent. However > +never receive a device access which is denied by its parent. However > when a device access is removed from a parent it will not also be > removed from the child(ren). > > @@ -29,7 +29,11 @@ allows cgroup 1 to read and mknod the device usually known as > > echo a > /cgroups/1/devices.deny > > -will remove the default 'a *:* mrw' entry. > +will remove the default 'a *:* rwm' entry. Doing > + > + echo a > /cgroups/1/devices.allow > + > +will add the 'a *:* rwm' entry to the whitelist. > > 3. Security > > diff --git a/security/device_cgroup.c b/security/device_cgroup.c > index baf3488..fd764a0 100644 > --- a/security/device_cgroup.c > +++ b/security/device_cgroup.c > @@ -382,6 +382,8 @@ static ssize_t devcgroup_access_write(struct cgroup *cgroup, struct cftype *cft, > case 'a': > wh.type = DEV_ALL; > wh.access = ACC_MASK; > + wh.major = ~0; > + wh.minor = ~0; > goto handle; > case 'b': > wh.type = DEV_BLOCK; > -- > 1.5.4.rc3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists