| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20121129202608.GA26716@mail.hallyn.com> Date: Thu, 29 Nov 2012 20:26:08 +0000 From: "Serge E. Hallyn" <serge@...lyn.com> To: Aristeu Rozanski <aris@...hat.com> Cc: "Serge E. Hallyn" <serge@...lyn.com>, linux-kernel@...r.kernel.org, Tejun Heo <tj@...nel.org>, Serge Hallyn <serge.hallyn@...onical.com>, cgroups@...r.kernel.org Subject: Re: [PATCH 3/5] device_cgroup: keep track of local group settings Quoting Aristeu Rozanski (aris@...hat.com): > On Thu, Nov 29, 2012 at 07:29:45PM +0000, Serge E. Hallyn wrote: > > Quoting Aristeu Rozanski (aris@...hat.com): > > > In preparation for better hierarchy support, it's needed to retain the local > > > settings in order to try to reapply them after a propagated change if they're > > > still valid. > > > > > > Cc: Tejun Heo <tj@...nel.org> > > > Cc: Serge Hallyn <serge.hallyn@...onical.com> > > > Signed-off-by: Aristeu Rozanski <aris@...hat.com> > > > > > > --- > > > security/device_cgroup.c | 108 ++++++++++++++++++++++++++++++++++------------- > > > 1 file changed, 80 insertions(+), 28 deletions(-) > > > > Hi, > > > > thanks for doing this. I've got one concern though. I don't see > > any place where devcgroup_create() was updated to create the > > local exceptions list. I think we need a guarantee that at > > the local exceptions list is part of the dev_cgroup structure and it's > initialized on the patch 'device_cgroup: keep track of local group > setting': > > @@ -190,6 +238,8 @@ > if (!dev_cgroup) > return ERR_PTR(-ENOMEM); > INIT_LIST_HEAD(&dev_cgroup->exceptions); > + INIT_LIST_HEAD(&dev_cgroup->local.exceptions); > + dev_cgroup->local.behavior = DEVCG_DEFAULT_NONE; > parent_cgroup = cgroup->parent; > > if (parent_cgroup == NULL) > > > any time the local exceptions list will contain all the entries > > contained in the cgroup->exceptions list. Otherwise you cannot > > hm, no. the local exceptions are meant to be used for stuff written > locally. the devcgroup->exceptions list is the list in effect. > > > use the exception_add() the way you do (or you can't use RCU), > > since there could be a window between the successful addition > > of a rule to cgroup->local.exceptions and the failed addition to > > cgroup->exceptions, during which a task (since it won't need > > the mutex for devcg_allow()) could exceed allowed permissions. > > > > It's possible I'm misunderstanding. If you think that's the case > > just kick me and I'll take a fresh look. > > I see your point. it's indeed a problem. in dev_exception_add(), it > needs to check for permissions before actually adding to > devcgroup->exceptions. > > > (Btw is there a git tree or gitweb view I could look at alongside > > the patchset?) > > I'll rebase the patchset along with a fix for this and resubmit with a > link to the git repo. Thanks, Aristeu! -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists