1
linux/fs
Serge E. Hallyn 08ce5f16ee cgroups: implement device whitelist
Implement a cgroup to track and enforce open and mknod restrictions on device
files.  A device cgroup associates a device access whitelist with each cgroup.
 A whitelist entry has 4 fields.  'type' is a (all), c (char), or b (block).
'all' means it applies to all types and all major and minor numbers.  Major
and minor are either an integer or * for all.  Access is a composition of r
(read), w (write), and m (mknod).

The root device cgroup starts with rwm to 'all'.  A child devcg gets a copy of
the parent.  Admins can then remove devices from the whitelist or add new
entries.  A child cgroup can never receive a device access which is denied its
parent.  However when a device access is removed from a parent it will not
also be removed from the child(ren).

An entry is added using devices.allow, and removed using
devices.deny.  For instance

	echo 'c 1:3 mr' > /cgroups/1/devices.allow

allows cgroup 1 to read and mknod the device usually known as
/dev/null.  Doing

	echo a > /cgroups/1/devices.deny

will remove the default 'a *:* mrw' entry.

CAP_SYS_ADMIN is needed to change permissions or move another task to a new
cgroup.  A cgroup may not be granted more permissions than the cgroup's parent
has.  Any task can move itself between cgroups.  This won't be sufficient, but
we can decide the best way to adequately restrict movement later.

[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: fix may-be-used-uninitialized warning]
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Acked-by: James Morris <jmorris@namei.org>
Looks-good-to: Pavel Emelyanov <xemul@openvz.org>
Cc: Daniel Hokka Zakrisson <daniel@hozac.com>
Cc: Li Zefan <lizf@cn.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:06:09 -07:00
..
9p [PATCH] restore sane ->umount_begin() API 2008-04-25 09:23:25 -04:00
adfs adfs: work around bogus sparse warning 2008-04-29 08:05:59 -07:00
affs fs/affs/file.c: use BUG_ON 2008-04-29 08:06:02 -07:00
afs
autofs
autofs4 autofs4: fix sparse warning in root.c 2008-04-29 08:06:01 -07:00
befs befs: fix sparse warning in linuxvfs.c 2008-04-29 08:05:59 -07:00
bfs
cifs [PATCH] restore sane ->umount_begin() API 2008-04-25 09:23:25 -04:00
coda codafs: fix build warning 2008-04-29 08:06:04 -07:00
configfs
cramfs fs: Remove unnecessary inclusions of asm/semaphore.h 2008-04-18 22:16:44 -04:00
debugfs
devpts
dlm Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/dlm 2008-04-22 13:44:23 -07:00
ecryptfs eCryptfs: protect crypt_stat->flags in ecryptfs_open() 2008-04-29 08:06:07 -07:00
efs
exportfs
ext2 ext2: retry block allocation if new blocks are allocated from system zone 2008-04-28 08:58:43 -07:00
ext3 ext3: replace remaining __FUNCTION__ occurrences 2008-04-28 08:58:45 -07:00
ext4 quota: ext4: make ext4 handle quotaon on remount 2008-04-28 08:58:33 -07:00
fat fatfs: fix build warning with 64k PAGE_SIZE 2008-04-28 08:58:47 -07:00
freevxfs fs/freevxfs/: proper externs 2008-04-29 08:06:00 -07:00
fuse [PATCH] restore sane ->umount_begin() API 2008-04-25 09:23:25 -04:00
gfs2 mm: remove nopage 2008-04-28 08:58:18 -07:00
hfs hfs: handle match_strdup failure 2008-04-29 08:06:01 -07:00
hfsplus hfsplus: handle match_strdup failure 2008-04-29 08:06:02 -07:00
hostfs
hpfs
hppfs
hugetlbfs mempolicy: use struct mempolicy pointer in shmem_sb_info 2008-04-28 08:58:25 -07:00
isofs
jbd jbd: replace remaining __FUNCTION__ occurrences 2008-04-28 08:58:45 -07:00
jbd2
jffs2 [JFFS2] Introduce dbg_readinode2 log level, use it to shut read_dnode() up 2008-04-23 16:43:15 +01:00
jfs [PATCH] r/o bind mounts: elevate write count for ioctls() 2008-04-19 00:29:24 -04:00
lockd locks: don't call ->copy_lock methods on return of conflicting locks 2008-04-25 13:00:11 -04:00
minix
msdos fat: fat_notify_change() and check_mode() cleanup 2008-04-28 08:58:47 -07:00
ncpfs ncpfs: fix sparse warning in ncpsign_kernel.c 2008-04-28 08:58:29 -07:00
nfs [PATCH] restore sane ->umount_begin() API 2008-04-25 09:23:25 -04:00
nfs_common
nfsd nfsd: don't allow setting ctime over v4 2008-04-25 13:00:11 -04:00
nls
ntfs
ocfs2 [PATCH] r/o bind mounts: elevate write count for ioctls() 2008-04-19 00:29:24 -04:00
openpromfs
partitions fat: detect media without partition table correctly 2008-04-28 08:58:47 -07:00
proc smaps: account swap entries 2008-04-28 08:58:22 -07:00
qnx4
ramfs fs/ramfs/ extern cleanup 2008-04-29 08:06:00 -07:00
reiserfs reiserfs: unpack tails on quota files 2008-04-28 08:58:46 -07:00
romfs
smbfs
sysfs [SCSI] sysfs: make group is_valid return a mode_t 2008-04-22 15:16:31 -05:00
sysv
udf udf: fix sparse warning in namei.c 2008-04-28 08:58:46 -07:00
ufs ufs: replace __inline with inline 2008-04-28 08:58:45 -07:00
vfat fat: use __getname() 2008-04-28 08:58:47 -07:00
xfs Merge branch 'semaphore' of git://git.kernel.org/pub/scm/linux/kernel/git/willy/misc 2008-04-21 15:41:27 -07:00
aio.c fs/aio.c: make 3 functions static 2008-04-29 08:06:00 -07:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c fs/binfmt_aout.c: use printk_ratelimit() 2008-04-29 08:06:04 -07:00
binfmt_elf_fdpic.c fdpic: check that the size returned by kernel_read() is what we asked for 2008-04-29 08:06:05 -07:00
binfmt_elf.c [PATCH] sanitize handling of shared descriptor tables in failing execve() 2008-04-25 09:23:53 -04:00
binfmt_em86.c binfmt_misc.c: avoid potential kernel stack overflow 2008-04-29 08:06:04 -07:00
binfmt_flat.c make BINFMT_FLAT a bool 2008-04-29 08:06:01 -07:00
binfmt_misc.c binfmt_misc.c: avoid potential kernel stack overflow 2008-04-29 08:06:04 -07:00
binfmt_script.c binfmt_misc.c: avoid potential kernel stack overflow 2008-04-29 08:06:04 -07:00
binfmt_som.c [PATCH] sanitize handling of shared descriptor tables in failing execve() 2008-04-25 09:23:53 -04:00
bio.c block: convert bio_copy_user to bio_copy_user_iov 2008-04-21 09:50:08 +02:00
block_dev.c
buffer.c make fs/buffer.c:cont_expand_zero() static 2008-04-29 08:06:01 -07:00
char_dev.c fs: remove unused fops from struct char_device_struct 2008-04-29 08:06:01 -07:00
compat_binfmt_elf.c
compat_ioctl.c
compat.c
dcache.c [patch 2/7] vfs: mountinfo: add seq_file_root() 2008-04-23 00:04:38 -04:00
dcookies.c
direct-io.c
dnotify.c
dquot.c quota: quota core changes for quotaon on remount 2008-04-28 08:58:33 -07:00
drop_caches.c vfs: skip inodes without pages to free in drop_pagecache_sb() 2008-04-29 08:06:05 -07:00
eventfd.c
eventpoll.c epoll: avoid kmemcheck warning 2008-04-29 08:05:59 -07:00
exec.c exec: remove argv_len from struct linux_binprm 2008-04-29 08:06:03 -07:00
fcntl.c [PATCH] sanitize locate_fd() 2008-04-25 09:24:05 -04:00
fifo.c
file_table.c [PATCH] r/o bind mounts: debugging for missed calls 2008-04-19 00:29:28 -04:00
file.c
filesystems.c
fs-writeback.c fs/fs-writeback.c: make 2 functions static 2008-04-29 08:06:00 -07:00
generic_acl.c
inode.c fs/inode.c: use hlist_for_each_entry() 2008-04-29 08:06:06 -07:00
inotify_user.c
inotify.c
internal.h [PATCH] move a bunch of declarations to fs/internal.h 2008-04-21 23:11:01 -04:00
ioctl.c make vfs_ioctl() static 2008-04-29 08:06:00 -07:00
ioprio.c
Kconfig Merge git://git.linux-nfs.org/projects/trondmy/nfs-2.6 2008-04-24 11:46:16 -07:00
Kconfig.binfmt make BINFMT_FLAT a bool 2008-04-29 08:06:01 -07:00
libfs.c
locks.c Export __locks_copy_lock() so modular lockd builds 2008-04-25 15:49:46 -07:00
Makefile
mbcache.c
mpage.c
namei.c cgroups: implement device whitelist 2008-04-29 08:06:09 -07:00
namespace.c vfs: remove lives_below_in_same_fs() 2008-04-29 08:06:06 -07:00
nfsctl.c
no-block.c
open.c xip: support non-struct page backed memory 2008-04-28 08:58:23 -07:00
pipe.c [PATCH] double-free of inode on alloc_file() failure exit in create_write_pipe() 2008-04-22 19:54:57 -04:00
pnode.c [patch 7/7] vfs: mountinfo: show dominating group id 2008-04-23 00:05:09 -04:00
pnode.h [patch 7/7] vfs: mountinfo: show dominating group id 2008-04-23 00:05:09 -04:00
posix_acl.c
quota_v1.c quota: do not allow setting of quota limits to too high values 2008-04-28 08:58:32 -07:00
quota_v2.c quota: do not allow setting of quota limits to too high values 2008-04-28 08:58:32 -07:00
quota.c quota: quota core changes for quotaon on remount 2008-04-28 08:58:33 -07:00
read_write.c fs: use loff_t type instead of long long 2008-04-22 15:17:11 -07:00
read_write.h
readdir.c
select.c trivial: small cleanups 2008-04-21 22:15:06 +00:00
seq_file.c [patch 2/7] vfs: mountinfo: add seq_file_root() 2008-04-23 00:04:38 -04:00
signalfd.c
splice.c
stack.c
stat.c
super.c make __put_super() static 2008-04-29 08:06:00 -07:00
sync.c vfs: fix unconditional write_super() call in file_fsync() 2008-04-29 08:06:06 -07:00
timerfd.c fs/timerfd.c should #include <linux/syscalls.h> 2008-04-29 08:06:01 -07:00
utimes.c [PATCH] r/o bind mounts: elevate write count for do_utimes() 2008-04-19 00:29:24 -04:00
xattr_acl.c
xattr.c xattr: add missing consts to function arguments 2008-04-29 08:06:06 -07:00