[Devel] [PATCH RHEL7 COMMIT] ve/device_cgroup: allow to change device mount permission via cgroup

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jun 17 02:08:24 PDT 2016 

The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.18.2.vz7.14.15
------>
commit 3c080800a7f1d1a3102c9d9de1b46b80e0fec187
Author: Andrey Ryabinin <aryabinin at virtuozzo.com>
Date:   Fri Jun 17 13:08:24 2016 +0400

    ve/device_cgroup: allow to change device mount permission via cgroup
    
    Currently, in order to allow a Container to mount device, we call an
    ioctl(get_vzctlfd(), VZCTL_SETDEVPERMS, &devperms) with S_IXUSR bit set.
    
    In fact, this ioctl() is just a wrapper around dev cgroup interface, which
    is very odd. Instead, lets allow to change mount permission via dev cgroup
    interface.
    Since letter 'm' already occupied for mknod permission, we will use
    capitalize 'M' for mount permission.
    
    E.g.:
    
    $ echo 'b 182:954545 M' > /sys/fs/cgroup/devices/$ID/devices.allow
    $ cat /sys/fs/cgroup/devices/$ID/devices.list
    ...
    b 182:954545 rmM
    
    https://jira.sw.ru/browse/PSBM-48431
    
    Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
 security/device_cgroup.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index f94d08e..fc14cdc 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -269,7 +269,7 @@ static void devcgroup_css_free(struct cgroup *cgroup)
 #define DEVCG_LIST 3
 
 #define MAJMINLEN 13
-#define ACCLEN 4
+#define ACCLEN 5
 
 static void set_access(char *acc, short access)
 {
@@ -281,6 +281,8 @@ static void set_access(char *acc, short access)
 		acc[idx++] = 'w';
 	if (access & ACC_MKNOD)
 		acc[idx++] = 'm';
+	if (access & ACC_MOUNT)
+		acc[idx++] = 'M';
 }
 
 static char type_to_char(short type)
@@ -771,7 +773,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
 	}
 	if (!isspace(*b))
 		return -EINVAL;
-	for (b++, count = 0; count < 3; count++, b++) {
+	for (b++, count = 0; count < ACCLEN - 1; count++, b++) {
 		switch (*b) {
 		case 'r':
 			ex.access |= ACC_READ;
@@ -782,9 +784,12 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
 		case 'm':
 			ex.access |= ACC_MKNOD;
 			break;
+		case 'M':
+			ex.access |= ACC_MOUNT;
+			break;
 		case '\n':
 		case '\0':
-			count = 3;
+			count = ACCLEN - 1;
 			break;
 		default:
 			return -EINVAL;

More information about the Devel mailing list