[Devel] [PATCH rh7] ve/device_cgroup: allow to change device mount permission via cgroup

[Andrey Ryabinin]

Currently, in order to allow a Container to mount device, we call an
ioctl(get_vzctlfd(), VZCTL_SETDEVPERMS, &devperms) with S_IXUSR bit set.

In fact, this ioctl() is just a wrapper around dev cgroup interface, which
is very odd. Instead, lets allow to change mount permission via dev cgroup
interface.
Since letter 'm' already occupied for mknod permission, we will use
capitalize 'M' for mount permission.

E.g.:

$ echo 'b 182:954545 M' > /sys/fs/cgroup/devices/$ID/devices.allow
$ cat /sys/fs/cgroup/devices/$ID/devices.list
...
b 182:954545 rmM

https://jira.sw.ru/browse/PSBM-48431

Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
 security/device_cgroup.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 0a6d9c4..08e80a5 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -269,7 +269,7 @@ static void devcgroup_css_free(struct cgroup *cgroup)
 #define DEVCG_LIST 3
 
 #define MAJMINLEN 13
-#define ACCLEN 4
+#define ACCLEN 5
 
 static void set_access(char *acc, short access)
 {
@@ -281,6 +281,8 @@ static void set_access(char *acc, short access)
 		acc[idx++] = 'w';
 	if (access & ACC_MKNOD)
 		acc[idx++] = 'm';
+	if (access & ACC_MOUNT)
+		acc[idx++] = 'M';
 }
 
 static char type_to_char(short type)
@@ -771,7 +773,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
 	}
 	if (!isspace(*b))
 		return -EINVAL;
-	for (b++, count = 0; count < 3; count++, b++) {
+	for (b++, count = 0; count < ACCLEN - 1; count++, b++) {
 		switch (*b) {
 		case 'r':
 			ex.access |= ACC_READ;
@@ -782,9 +784,12 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
 		case 'm':
 			ex.access |= ACC_MKNOD;
 			break;
+		case 'M':
+			ex.access |= ACC_MOUNT;
+			break;
 		case '\n':
 		case '\0':
-			count = 3;
+			count = ACCLEN - 1;
 			break;
 		default:
 			return -EINVAL;
-- 
2.7.3