• Aristeu Rozanski's avatar
    device_cgroup: check if exception removal is allowed · d2c2b11c
    Aristeu Rozanski authored
    [PATCH v3 1/2] device_cgroup: check if exception removal is allowed
    
    When the device cgroup hierarchy was introduced in
    	bd2953eb - devcg: propagate local changes down the hierarchy
    
    a specific case was overlooked. Consider the hierarchy bellow:
    
    	A	default policy: ALLOW, exceptions will deny access
    	 \
    	  B	default policy: ALLOW, exceptions will deny access
    
    There's no need to verify when an new exception is added to B because
    in this case exceptions will deny access to further devices, which is
    always fine. Hierarchy in device cgroup only makes sure B won't have
    more access than A.
    
    But when an exception is removed (by writing devices.allow), it isn't
    checked if the user is in fact removing an inherited exception from A,
    thus giving more access to B.
    
    Example:
    
    	# echo 'a' >A/devices.allow
    	# echo 'c 1:3 rw' >A/devices.deny
    	# echo $$ >A/B/tasks
    	# echo >/dev/null
    	-bash: /dev/null: Operation not permitted
    	# echo 'c 1:3 w' >A/B/devices.allow
    	# echo >/dev/null
    	#
    
    This shouldn't be allowed and this patch fixes it by making sure to never allow
    exceptions in this case to be removed if the exception is partially or fully
    present on the parent.
    
    v3: missing '*' in function description
    v2: improved log message and formatting fixes
    
    Cc: cgroups@vger.kernel.org
    Cc: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarAristeu Rozanski <arozansk@redhat.com>
    Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
    Signed-off-by: default avatarTejun Heo <tj@kernel.org>
    d2c2b11c
device_cgroup.c 21.2 KB