[Devel] [PATCH rh8 v2 1/2] ve/device_cgroup: Introduce "devices.extra_list" cgroup file
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Thu May 13 13:18:11 MSK 2021
Both patches look good.
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
On 5/12/21 8:09 PM, Konstantin Khorenko wrote:
> Recent versions of containerd (as a part of k3s-1.19.5)
> started to apply strict rules when parsing the contents of
> 'devices.list' files located in the devices cgroup.
> Namely, the access token is allowed to contain only those values [rwm],
> that are described in
> https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt
>
> In vzkernel we do have an extra permission in device cgroup to allow
> mount of a block device inside a Container ('M'), so this upsets
> containerd.
>
> Let's leave 'devices.{allow,deny}' files to be able to handle vz
> specific "M" permission, but 'devices.list' to show only [rwm]
> permissions suppressing possible "M" presence.
>
> Let's introduce another file 'devices.extra_list' to show all
> permissions, including possible "M".
>
> $ echo "b 253:3182 rmM" > devices.allow
> $ cat devices.list
> ...
> b 253:3182 rm
> $ cat devices.extra_list
> ...
> b 253:3182 rmM
>
> https://jira.sw.ru/browse/PSBM-123743
>
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
>
> Changes:
> v2: fix DEVCG_DEFAULT_ALLOW branch in devcgroup_seq_show() to show 'M'
> as well in devices::devices.extra_list.
> ---
> include/linux/device_cgroup.h | 4 ++--
> security/device_cgroup.c | 15 +++++++++++++--
> 2 files changed, 15 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
> index 5a8fb7f78962..5353e22a6ad0 100644
> --- a/include/linux/device_cgroup.h
> +++ b/include/linux/device_cgroup.h
> @@ -6,8 +6,8 @@
> #define DEVCG_ACC_READ 2
> #define DEVCG_ACC_WRITE 4
> #define DEVCG_ACC_MOUNT 64
> -#define DEVCG_ACC_MASK (DEVCG_ACC_MKNOD | DEVCG_ACC_READ | DEVCG_ACC_WRITE | \
> - DEVCG_ACC_MOUNT)
> +#define DEVCG_ACC_MASK (DEVCG_ACC_MKNOD | DEVCG_ACC_READ | DEVCG_ACC_WRITE)
> +#define DEVCG_ACC_EXTRA_MASK (DEVCG_ACC_MASK | DEVCG_ACC_MOUNT)
>
> #define DEVCG_DEV_BLOCK 1
> #define DEVCG_DEV_CHAR 2
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 97dbc72969ce..8a017fc2e1b0 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -230,6 +230,7 @@ static void devcgroup_css_free(struct cgroup_subsys_state *css)
> #define DEVCG_ALLOW 1
> #define DEVCG_DENY 2
> #define DEVCG_LIST 3
> +#define DEVCG_EXTRA_LIST 32
>
> #define MAJMINLEN 13
> #define ACCLEN 5
> @@ -272,6 +273,11 @@ static int devcgroup_seq_show(struct seq_file *m, void *v)
> struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m));
> struct dev_exception_item *ex;
> char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
> + short type, mask;
> +
> + type = (short)seq_cft(m)->private;
> + mask = (type == DEVCG_EXTRA_LIST) ?
> + DEVCG_ACC_EXTRA_MASK : DEVCG_ACC_MASK;
>
> rcu_read_lock();
> /*
> @@ -281,14 +287,14 @@ static int devcgroup_seq_show(struct seq_file *m, void *v)
> * This way, the file remains as a "whitelist of devices"
> */
> if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
> - set_access(acc, DEVCG_ACC_MASK);
> + set_access(acc, mask);
> set_majmin(maj, ~0);
> set_majmin(min, ~0);
> seq_printf(m, "%c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL),
> maj, min, acc);
> } else {
> list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
> - set_access(acc, ex->access);
> + set_access(acc, ex->access & mask);
> set_majmin(maj, ex->major);
> set_majmin(min, ex->minor);
> seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
> @@ -799,6 +805,11 @@ static struct cftype dev_cgroup_files[] = {
> .seq_show = devcgroup_seq_show,
> .private = DEVCG_LIST,
> },
> + {
> + .name = "extra_list",
> + .seq_show = devcgroup_seq_show,
> + .private = DEVCG_EXTRA_LIST,
> + },
> { } /* terminate */
> };
>
>
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
More information about the Devel
mailing list