2 * device_cgroup.c - device cgroup subsystem
4 * Copyright 2007 IBM Corp
7 #include <linux/device_cgroup.h>
8 #include <linux/cgroup.h>
9 #include <linux/ctype.h>
10 #include <linux/list.h>
11 #include <linux/uaccess.h>
12 #include <linux/seq_file.h>
13 #include <linux/slab.h>
14 #include <linux/rcupdate.h>
15 #include <linux/mutex.h>
20 #define ACC_MASK (ACC_MKNOD | ACC_READ | ACC_WRITE)
24 #define DEV_ALL 4 /* this represents all devices */
26 static DEFINE_MUTEX(devcgroup_mutex
);
29 * exception list locking rules:
30 * hold devcgroup_mutex for update/read.
31 * hold rcu_read_lock() for read.
34 struct dev_exception_item
{
38 struct list_head list
;
43 struct cgroup_subsys_state css
;
44 struct list_head exceptions
;
48 static inline struct dev_cgroup
*css_to_devcgroup(struct cgroup_subsys_state
*s
)
50 return container_of(s
, struct dev_cgroup
, css
);
53 static inline struct dev_cgroup
*cgroup_to_devcgroup(struct cgroup
*cgroup
)
55 return css_to_devcgroup(cgroup_subsys_state(cgroup
, devices_subsys_id
));
58 static inline struct dev_cgroup
*task_devcgroup(struct task_struct
*task
)
60 return css_to_devcgroup(task_subsys_state(task
, devices_subsys_id
));
63 struct cgroup_subsys devices_subsys
;
65 static int devcgroup_can_attach(struct cgroup
*new_cgrp
,
66 struct cgroup_taskset
*set
)
68 struct task_struct
*task
= cgroup_taskset_first(set
);
70 if (current
!= task
&& !capable(CAP_SYS_ADMIN
))
76 * called under devcgroup_mutex
78 static int dev_exceptions_copy(struct list_head
*dest
, struct list_head
*orig
)
80 struct dev_exception_item
*ex
, *tmp
, *new;
82 list_for_each_entry(ex
, orig
, list
) {
83 new = kmemdup(ex
, sizeof(*ex
), GFP_KERNEL
);
86 list_add_tail(&new->list
, dest
);
92 list_for_each_entry_safe(ex
, tmp
, dest
, list
) {
100 * called under devcgroup_mutex
102 static int dev_exception_add(struct dev_cgroup
*dev_cgroup
,
103 struct dev_exception_item
*ex
)
105 struct dev_exception_item
*excopy
, *walk
;
107 excopy
= kmemdup(ex
, sizeof(*ex
), GFP_KERNEL
);
111 list_for_each_entry(walk
, &dev_cgroup
->exceptions
, list
) {
112 if (walk
->type
!= ex
->type
)
114 if (walk
->major
!= ex
->major
)
116 if (walk
->minor
!= ex
->minor
)
119 walk
->access
|= ex
->access
;
125 list_add_tail_rcu(&excopy
->list
, &dev_cgroup
->exceptions
);
130 * called under devcgroup_mutex
132 static void dev_exception_rm(struct dev_cgroup
*dev_cgroup
,
133 struct dev_exception_item
*ex
)
135 struct dev_exception_item
*walk
, *tmp
;
137 list_for_each_entry_safe(walk
, tmp
, &dev_cgroup
->exceptions
, list
) {
138 if (walk
->type
!= ex
->type
)
140 if (walk
->major
!= ex
->major
)
142 if (walk
->minor
!= ex
->minor
)
145 walk
->access
&= ~ex
->access
;
147 list_del_rcu(&walk
->list
);
148 kfree_rcu(walk
, rcu
);
154 * dev_exception_clean - frees all entries of the exception list
155 * @dev_cgroup: dev_cgroup with the exception list to be cleaned
157 * called under devcgroup_mutex
159 static void dev_exception_clean(struct dev_cgroup
*dev_cgroup
)
161 struct dev_exception_item
*ex
, *tmp
;
163 list_for_each_entry_safe(ex
, tmp
, &dev_cgroup
->exceptions
, list
) {
170 * called from kernel/cgroup.c with cgroup_lock() held.
172 static struct cgroup_subsys_state
*devcgroup_create(struct cgroup
*cgroup
)
174 struct dev_cgroup
*dev_cgroup
, *parent_dev_cgroup
;
175 struct cgroup
*parent_cgroup
;
178 dev_cgroup
= kzalloc(sizeof(*dev_cgroup
), GFP_KERNEL
);
180 return ERR_PTR(-ENOMEM
);
181 INIT_LIST_HEAD(&dev_cgroup
->exceptions
);
182 parent_cgroup
= cgroup
->parent
;
184 if (parent_cgroup
== NULL
)
185 dev_cgroup
->deny_all
= false;
187 parent_dev_cgroup
= cgroup_to_devcgroup(parent_cgroup
);
188 mutex_lock(&devcgroup_mutex
);
189 ret
= dev_exceptions_copy(&dev_cgroup
->exceptions
,
190 &parent_dev_cgroup
->exceptions
);
191 dev_cgroup
->deny_all
= parent_dev_cgroup
->deny_all
;
192 mutex_unlock(&devcgroup_mutex
);
199 return &dev_cgroup
->css
;
202 static void devcgroup_destroy(struct cgroup
*cgroup
)
204 struct dev_cgroup
*dev_cgroup
;
206 dev_cgroup
= cgroup_to_devcgroup(cgroup
);
207 dev_exception_clean(dev_cgroup
);
211 #define DEVCG_ALLOW 1
218 static void set_access(char *acc
, short access
)
221 memset(acc
, 0, ACCLEN
);
222 if (access
& ACC_READ
)
224 if (access
& ACC_WRITE
)
226 if (access
& ACC_MKNOD
)
230 static char type_to_char(short type
)
234 if (type
== DEV_CHAR
)
236 if (type
== DEV_BLOCK
)
241 static void set_majmin(char *str
, unsigned m
)
246 sprintf(str
, "%u", m
);
249 static int devcgroup_seq_read(struct cgroup
*cgroup
, struct cftype
*cft
,
252 struct dev_cgroup
*devcgroup
= cgroup_to_devcgroup(cgroup
);
253 struct dev_exception_item
*ex
;
254 char maj
[MAJMINLEN
], min
[MAJMINLEN
], acc
[ACCLEN
];
258 * To preserve the compatibility:
259 * - Only show the "all devices" when the default policy is to allow
260 * - List the exceptions in case the default policy is to deny
261 * This way, the file remains as a "whitelist of devices"
263 if (devcgroup
->deny_all
== false) {
264 set_access(acc
, ACC_MASK
);
267 seq_printf(m
, "%c %s:%s %s\n", type_to_char(DEV_ALL
),
270 list_for_each_entry_rcu(ex
, &devcgroup
->exceptions
, list
) {
271 set_access(acc
, ex
->access
);
272 set_majmin(maj
, ex
->major
);
273 set_majmin(min
, ex
->minor
);
274 seq_printf(m
, "%c %s:%s %s\n", type_to_char(ex
->type
),
284 * may_access - verifies if a new exception is part of what is allowed
285 * by a dev cgroup based on the default policy +
286 * exceptions. This is used to make sure a child cgroup
287 * won't have more privileges than its parent or to
288 * verify if a certain access is allowed.
289 * @dev_cgroup: dev cgroup to be tested against
290 * @refex: new exception
292 static int may_access(struct dev_cgroup
*dev_cgroup
,
293 struct dev_exception_item
*refex
)
295 struct dev_exception_item
*ex
;
298 list_for_each_entry(ex
, &dev_cgroup
->exceptions
, list
) {
299 if ((refex
->type
& DEV_BLOCK
) && !(ex
->type
& DEV_BLOCK
))
301 if ((refex
->type
& DEV_CHAR
) && !(ex
->type
& DEV_CHAR
))
303 if (ex
->major
!= ~0 && ex
->major
!= refex
->major
)
305 if (ex
->minor
!= ~0 && ex
->minor
!= refex
->minor
)
307 if (refex
->access
& (~ex
->access
))
314 * In two cases we'll consider this new exception valid:
315 * - the dev cgroup has its default policy to allow + exception list:
316 * the new exception should *not* match any of the exceptions
317 * (!deny_all, !match)
318 * - the dev cgroup has its default policy to deny + exception list:
319 * the new exception *should* match the exceptions
322 if (dev_cgroup
->deny_all
== match
)
329 * when adding a new allow rule to a device exception list, the rule
330 * must be allowed in the parent device
332 static int parent_has_perm(struct dev_cgroup
*childcg
,
333 struct dev_exception_item
*ex
)
335 struct cgroup
*pcg
= childcg
->css
.cgroup
->parent
;
336 struct dev_cgroup
*parent
;
340 parent
= cgroup_to_devcgroup(pcg
);
341 return may_access(parent
, ex
);
345 * Modify the exception list using allow/deny rules.
346 * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD
347 * so we can give a container CAP_MKNOD to let it create devices but not
348 * modify the exception list.
349 * It seems likely we'll want to add a CAP_CONTAINER capability to allow
350 * us to also grant CAP_SYS_ADMIN to containers without giving away the
351 * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN
353 * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting
354 * new access is only allowed if you're in the top-level cgroup, or your
355 * parent cgroup has the access you're asking for.
357 static int devcgroup_update_access(struct dev_cgroup
*devcgroup
,
358 int filetype
, const char *buffer
)
363 struct dev_exception_item ex
;
365 if (!capable(CAP_SYS_ADMIN
))
368 memset(&ex
, 0, sizeof(ex
));
375 if (!parent_has_perm(devcgroup
, &ex
))
377 dev_exception_clean(devcgroup
);
378 devcgroup
->deny_all
= false;
381 dev_exception_clean(devcgroup
);
382 devcgroup
->deny_all
= true;
404 } else if (isdigit(*b
)) {
405 ex
.major
= simple_strtoul(b
, &endp
, 10);
418 } else if (isdigit(*b
)) {
419 ex
.minor
= simple_strtoul(b
, &endp
, 10);
426 for (b
++, count
= 0; count
< 3; count
++, b
++) {
429 ex
.access
|= ACC_READ
;
432 ex
.access
|= ACC_WRITE
;
435 ex
.access
|= ACC_MKNOD
;
448 if (!parent_has_perm(devcgroup
, &ex
))
451 * If the default policy is to allow by default, try to remove
452 * an matching exception instead. And be silent about it: we
453 * don't want to break compatibility
455 if (devcgroup
->deny_all
== false) {
456 dev_exception_rm(devcgroup
, &ex
);
459 return dev_exception_add(devcgroup
, &ex
);
462 * If the default policy is to deny by default, try to remove
463 * an matching exception instead. And be silent about it: we
464 * don't want to break compatibility
466 if (devcgroup
->deny_all
== true) {
467 dev_exception_rm(devcgroup
, &ex
);
470 return dev_exception_add(devcgroup
, &ex
);
477 static int devcgroup_access_write(struct cgroup
*cgrp
, struct cftype
*cft
,
482 mutex_lock(&devcgroup_mutex
);
483 retval
= devcgroup_update_access(cgroup_to_devcgroup(cgrp
),
484 cft
->private, buffer
);
485 mutex_unlock(&devcgroup_mutex
);
489 static struct cftype dev_cgroup_files
[] = {
492 .write_string
= devcgroup_access_write
,
493 .private = DEVCG_ALLOW
,
497 .write_string
= devcgroup_access_write
,
498 .private = DEVCG_DENY
,
502 .read_seq_string
= devcgroup_seq_read
,
503 .private = DEVCG_LIST
,
508 struct cgroup_subsys devices_subsys
= {
510 .can_attach
= devcgroup_can_attach
,
511 .create
= devcgroup_create
,
512 .destroy
= devcgroup_destroy
,
513 .subsys_id
= devices_subsys_id
,
514 .base_cftypes
= dev_cgroup_files
,
517 * While devices cgroup has the rudimentary hierarchy support which
518 * checks the parent's restriction, it doesn't properly propagates
519 * config changes in ancestors to their descendents. A child
520 * should only be allowed to add more restrictions to the parent's
521 * configuration. Fix it and remove the following.
523 .broken_hierarchy
= true,
527 * __devcgroup_check_permission - checks if an inode operation is permitted
528 * @dev_cgroup: the dev cgroup to be tested against
530 * @major: device major number
531 * @minor: device minor number
532 * @access: combination of ACC_WRITE, ACC_READ and ACC_MKNOD
534 * returns 0 on success, -EPERM case the operation is not permitted
536 static int __devcgroup_check_permission(struct dev_cgroup
*dev_cgroup
,
537 short type
, u32 major
, u32 minor
,
540 struct dev_exception_item ex
;
543 memset(&ex
, 0, sizeof(ex
));
550 rc
= may_access(dev_cgroup
, &ex
);
559 int __devcgroup_inode_permission(struct inode
*inode
, int mask
)
561 struct dev_cgroup
*dev_cgroup
= task_devcgroup(current
);
562 short type
, access
= 0;
564 if (S_ISBLK(inode
->i_mode
))
566 if (S_ISCHR(inode
->i_mode
))
568 if (mask
& MAY_WRITE
)
573 return __devcgroup_check_permission(dev_cgroup
, type
, imajor(inode
),
574 iminor(inode
), access
);
577 int devcgroup_inode_mknod(int mode
, dev_t dev
)
579 struct dev_cgroup
*dev_cgroup
= task_devcgroup(current
);
582 if (!S_ISBLK(mode
) && !S_ISCHR(mode
))
590 return __devcgroup_check_permission(dev_cgroup
, type
, MAJOR(dev
),
591 MINOR(dev
), ACC_MKNOD
);