| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <47CED717.60406@openvz.org> Date: Wed, 05 Mar 2008 20:23:35 +0300 From: Pavel Emelyanov <xemul@...nvz.org> To: Andrew Morton <akpm@...ux-foundation.org> CC: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Paul Menage <menage@...gle.com>, Sukadev Bhattiprolu <sukadev@...ibm.com>, Serge Hallyn <serue@...ibm.com> Subject: [PATCH 0/9] Devices accessibility control group (v4) Changes from v3: * Ported on 2.6.25-rc3-mm1; * Re-splitted into smaller pieces; * Added more comments to tricky places. This controller allows to tune the devices accessibility by tasks, i.e. grant full access for /dev/null, /dev/zero etc, grant read-only access to IDE devices and completely hide SCSI disks. Tasks still can call mknod to create device files, regardless of whether the particular device is visible or accessible, but they may not be able to open it later. This one hides under CONFIG_CGROUP_DEVS option. To play with it - run a standard procedure: # mount -t container none /cont/devs -o devices # mkdir /cont/devs/0 # echo -n $$ > /cont/devs/0/tasks and tune device permissions. The only configuration file called devices.permissions accepts strings like '[cb] <major>:(<minor>|*) [r-][w-]' to provide read, write or read-write access to a particular device. Asterisk as the minor means "all devices with a given major". This will be described in Documentation/controllers/devices.txt file in more details. Here are some historical notes. The third version was here: http://openvz.org/pipermail/devel/2008-February/010832.html Changes from v2: * Fixed problems pointed out by Sukadev with permissions revoke. Now we have to perform kobject re-lookup on each char device open, just like for block ones, so I think this is OK. The second version was here: http://openvz.org/pipermail/devel/2008-January/010160.html Changes from v1: * Added the block devices support :) It turned out to be a bit simpler than the char one (or I missed something significant); * Now we can enable/disable not just individual devices, but the whole major with all its minors (see the TODO list beyond as well); * Added the ability to restrict the read/write permissions to devices, not just visible/invisible state. The first version was here: http://openvz.org/pipermail/devel/2007-September/007647.html Thanks, Pavel -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists