# cat /devcg/devices.list
a *:* rwm
# echo a > devices.allow
# cat /devcg/devices.list
a *:* rwm
a 0:0 rwm
This is odd and maybe confusing. With this patch, writing 'a'
to devices.allow will add 'a *:* rwm' to the whitelist.
Also a few fixes and updates to the document.
Signed-off-by: Li Zefan <[email protected]>
---
Documentation/controllers/devices.txt | 8 ++++++--
security/device_cgroup.c | 2 ++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/Documentation/controllers/devices.txt b/Documentation/controllers/devices.txt
index 4dcea42..7cc6e6a 100644
--- a/Documentation/controllers/devices.txt
+++ b/Documentation/controllers/devices.txt
@@ -13,7 +13,7 @@ either an integer or * for all. Access is a composition of r
The root device cgroup starts with rwm to 'all'. A child device
cgroup gets a copy of the parent. Administrators can then remove
devices from the whitelist or add new entries. A child cgroup can
-never receive a device access which is denied its parent. However
+never receive a device access which is denied by its parent. However
when a device access is removed from a parent it will not also be
removed from the child(ren).
@@ -29,7 +29,11 @@ allows cgroup 1 to read and mknod the device usually known as
echo a > /cgroups/1/devices.deny
-will remove the default 'a *:* mrw' entry.
+will remove the default 'a *:* rwm' entry. Doing
+
+ echo a > /cgroups/1/devices.allow
+
+will add the 'a *:* rwm' entry to the whitelist.
3. Security
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index baf3488..fd764a0 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -382,6 +382,8 @@ static ssize_t devcgroup_access_write(struct cgroup *cgroup, struct cftype *cft,
case 'a':
wh.type = DEV_ALL;
wh.access = ACC_MASK;
+ wh.major = ~0;
+ wh.minor = ~0;
goto handle;
case 'b':
wh.type = DEV_BLOCK;
--
1.5.4.rc3
Quoting Li Zefan ([email protected]):
> # cat /devcg/devices.list
> a *:* rwm
> # echo a > devices.allow
> # cat /devcg/devices.list
> a *:* rwm
> a 0:0 rwm
>
> This is odd and maybe confusing. With this patch, writing 'a'
> to devices.allow will add 'a *:* rwm' to the whitelist.
>
> Also a few fixes and updates to the document.
>
> Signed-off-by: Li Zefan <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
thanks,
-serge
> ---
> Documentation/controllers/devices.txt | 8 ++++++--
> security/device_cgroup.c | 2 ++
> 2 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/controllers/devices.txt b/Documentation/controllers/devices.txt
> index 4dcea42..7cc6e6a 100644
> --- a/Documentation/controllers/devices.txt
> +++ b/Documentation/controllers/devices.txt
> @@ -13,7 +13,7 @@ either an integer or * for all. Access is a composition of r
> The root device cgroup starts with rwm to 'all'. A child device
> cgroup gets a copy of the parent. Administrators can then remove
> devices from the whitelist or add new entries. A child cgroup can
> -never receive a device access which is denied its parent. However
> +never receive a device access which is denied by its parent. However
> when a device access is removed from a parent it will not also be
> removed from the child(ren).
>
> @@ -29,7 +29,11 @@ allows cgroup 1 to read and mknod the device usually known as
>
> echo a > /cgroups/1/devices.deny
>
> -will remove the default 'a *:* mrw' entry.
> +will remove the default 'a *:* rwm' entry. Doing
> +
> + echo a > /cgroups/1/devices.allow
> +
> +will add the 'a *:* rwm' entry to the whitelist.
>
> 3. Security
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index baf3488..fd764a0 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -382,6 +382,8 @@ static ssize_t devcgroup_access_write(struct cgroup *cgroup, struct cftype *cft,
> case 'a':
> wh.type = DEV_ALL;
> wh.access = ACC_MASK;
> + wh.major = ~0;
> + wh.minor = ~0;
> goto handle;
> case 'b':
> wh.type = DEV_BLOCK;
> --
> 1.5.4.rc3