[Devel] [PATCH RHEL9 COMMIT] ve/device_cgroup: Introduce "devices.extra_list" cgroup file

Konstantin Khorenko khorenko at virtuozzo.com
Wed Oct 20 11:39:30 MSK 2021 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.12
------>
commit 0a80bafede705811580462f7ccd20780ce593ecb
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Wed Oct 20 11:39:29 2021 +0300

    ve/device_cgroup: Introduce "devices.extra_list" cgroup file
    
    Recent versions of containerd (as a part of k3s-1.19.5)
    started to apply strict rules when parsing the contents of
    'devices.list' files located in the devices cgroup.
    Namely, the access token is allowed to contain only those values [rwm],
    that are described in
    https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt
    
    In vzkernel we do have an extra permission in device cgroup to allow
    mount of a block device inside a Container ('M'), so this upsets
    containerd.
    
    Let's leave 'devices.{allow,deny}' files to be able to handle vz
    specific "M" permission, but 'devices.list' to show only [rwm]
    permissions suppressing possible "M" presence.
    
    Let's introduce another file 'devices.extra_list' to show all
    permissions, including possible "M".
    
     $ echo "b 253:3182 rmM" > devices.allow
     $ cat devices.list
     ...
     b 253:3182 rm
     $ cat devices.extra_list
     ...
     b 253:3182 rmM
    
    https://jira.sw.ru/browse/PSBM-123743
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    Changes:
    v2: fix DEVCG_DEFAULT_ALLOW branch in devcgroup_seq_show() to show 'M'
        as well in devices::devices.extra_list.
    
    (cherry-picked from vz8 commit 3d5a8118a9b6 ("ve/device_cgroup: Introduce
    "devices.extra_list" cgroup file"))
    
    Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 include/linux/device_cgroup.h |  4 ++--
 security/device_cgroup.c      | 15 +++++++++++++--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
index 365ffc2c516e..eb6a060176da 100644
--- a/include/linux/device_cgroup.h
+++ b/include/linux/device_cgroup.h
@@ -5,8 +5,8 @@
 #define DEVCG_ACC_READ  2
 #define DEVCG_ACC_WRITE 4
 #define DEVCG_ACC_MOUNT 64
-#define DEVCG_ACC_MASK (DEVCG_ACC_MKNOD | DEVCG_ACC_READ | DEVCG_ACC_WRITE | \
-			DEVCG_ACC_MOUNT)
+#define DEVCG_ACC_MASK (DEVCG_ACC_MKNOD | DEVCG_ACC_READ | DEVCG_ACC_WRITE)
+#define DEVCG_ACC_EXTRA_MASK (DEVCG_ACC_MASK | DEVCG_ACC_MOUNT)
 
 #define DEVCG_DEV_BLOCK 1
 #define DEVCG_DEV_CHAR  2
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index ee76745795b8..448c5bef0996 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -232,6 +232,7 @@ static void devcgroup_css_free(struct cgroup_subsys_state *css)
 #define DEVCG_ALLOW 1
 #define DEVCG_DENY 2
 #define DEVCG_LIST 3
+#define DEVCG_EXTRA_LIST 32
 
 #define MAJMINLEN 13
 #define ACCLEN 5
@@ -274,6 +275,11 @@ static int devcgroup_seq_show(struct seq_file *m, void *v)
 	struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m));
 	struct dev_exception_item *ex;
 	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
+	short type, mask;
+
+	type = (short)seq_cft(m)->private;
+	mask = (type == DEVCG_EXTRA_LIST) ?
+	        DEVCG_ACC_EXTRA_MASK : DEVCG_ACC_MASK;
 
 	rcu_read_lock();
 	/*
@@ -283,14 +289,14 @@ static int devcgroup_seq_show(struct seq_file *m, void *v)
 	 * This way, the file remains as a "whitelist of devices"
 	 */
 	if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
-		set_access(acc, DEVCG_ACC_MASK);
+		set_access(acc, mask);
 		set_majmin(maj, ~0);
 		set_majmin(min, ~0);
 		seq_printf(m, "%c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL),
 			   maj, min, acc);
 	} else {
 		list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
-			set_access(acc, ex->access);
+			set_access(acc, ex->access & mask);
 			set_majmin(maj, ex->major);
 			set_majmin(min, ex->minor);
 			seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
@@ -802,6 +808,11 @@ static struct cftype dev_cgroup_files[] = {
 		.seq_show = devcgroup_seq_show,
 		.private = DEVCG_LIST,
 	},
+	{
+		.name = "extra_list",
+		.seq_show = devcgroup_seq_show,
+		.private = DEVCG_EXTRA_LIST,
+	},
 	{ }	/* terminate */
 };

More information about the Devel mailing list