Path: blob/master/Documentation/cgroups/devices.txt
10821 views
Device Whitelist Controller121. Description:34Implement a cgroup to track and enforce open and mknod restrictions5on device files. A device cgroup associates a device access6whitelist with each cgroup. A whitelist entry has 4 fields.7'type' is a (all), c (char), or b (block). 'all' means it applies8to all types and all major and minor numbers. Major and minor are9either an integer or * for all. Access is a composition of r10(read), w (write), and m (mknod).1112The root device cgroup starts with rwm to 'all'. A child device13cgroup gets a copy of the parent. Administrators can then remove14devices from the whitelist or add new entries. A child cgroup can15never receive a device access which is denied by its parent. However16when a device access is removed from a parent it will not also be17removed from the child(ren).18192. User Interface2021An entry is added using devices.allow, and removed using22devices.deny. For instance2324echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow2526allows cgroup 1 to read and mknod the device usually known as27/dev/null. Doing2829echo a > /sys/fs/cgroup/1/devices.deny3031will remove the default 'a *:* rwm' entry. Doing3233echo a > /sys/fs/cgroup/1/devices.allow3435will add the 'a *:* rwm' entry to the whitelist.36373. Security3839Any task can move itself between cgroups. This clearly won't40suffice, but we can decide the best way to adequately restrict41movement as people get some experience with this. We may just want42to require CAP_SYS_ADMIN, which at least is a separate bit from43CAP_MKNOD. We may want to just refuse moving to a cgroup which44isn't a descendant of the current one. Or we may want to use45CAP_MAC_ADMIN, since we really are trying to lock down root.4647CAP_SYS_ADMIN is needed to modify the whitelist or move another48task to a new cgroup. (Again we'll probably want to change that).4950A cgroup may not be granted more permissions than the cgroup's51parent has.525354