[Devel] Re: [PATCH 1/1] devices cgroup: allow mkfifo
Daniel Lezcano
dlezcano at fr.ibm.com
Wed Dec 10 02:39:22 PST 2008
Serge E. Hallyn wrote:
> The devcgroup_inode_permission() hook in the devices whitelist
> cgroup has always bypassed access checks on fifos. But the
> mknod hook did not. The devices whitelist is only about block
> and char devices, and fifos can't even be added to the whitelist,
> so fifos can't be created at all except by tasks which have 'a'
> in their whitelist (meaning they have access to all devices).
>
> Fix the behavior by bypassing access checks to mkfifo.
>
> Signed-off-by: Serge E. Hallyn <serue at us.ibm.com>
> ---
> security/device_cgroup.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 5ba7870..df9d491 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -513,6 +513,9 @@ int devcgroup_inode_mknod(int mode, dev_t dev)
> struct dev_cgroup *dev_cgroup;
> struct dev_whitelist_item *wh;
>
> + if (!S_ISBLK(mode) && !S_ISCHR(mode))
> + return 0;
> +
> rcu_read_lock();
>
> dev_cgroup = task_devcgroup(current);
Cool thanks. I am able to create the initctl fifo now.
-- Daniel
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list