2 * device_cgroup.c - device cgroup subsystem
4 * Copyright 2007 IBM Corp
7 #include <linux/device_cgroup.h>
8 #include <linux/cgroup.h>
9 #include <linux/ctype.h>
10 #include <linux/list.h>
11 #include <linux/uaccess.h>
12 #include <linux/seq_file.h>
13 #include <linux/slab.h>
14 #include <linux/rcupdate.h>
15 #include <linux/mutex.h>
20 #define ACC_MASK (ACC_MKNOD | ACC_READ | ACC_WRITE)
24 #define DEV_ALL 4 /* this represents all devices */
26 static DEFINE_MUTEX(devcgroup_mutex
);
29 * exception list locking rules:
30 * hold devcgroup_mutex for update/read.
31 * hold rcu_read_lock() for read.
34 struct dev_exception_item
{
38 struct list_head list
;
43 struct cgroup_subsys_state css
;
44 struct list_head exceptions
;
51 static inline struct dev_cgroup
*css_to_devcgroup(struct cgroup_subsys_state
*s
)
53 return container_of(s
, struct dev_cgroup
, css
);
56 static inline struct dev_cgroup
*cgroup_to_devcgroup(struct cgroup
*cgroup
)
58 return css_to_devcgroup(cgroup_subsys_state(cgroup
, devices_subsys_id
));
61 static inline struct dev_cgroup
*task_devcgroup(struct task_struct
*task
)
63 return css_to_devcgroup(task_subsys_state(task
, devices_subsys_id
));
66 struct cgroup_subsys devices_subsys
;
68 static int devcgroup_can_attach(struct cgroup
*new_cgrp
,
69 struct cgroup_taskset
*set
)
71 struct task_struct
*task
= cgroup_taskset_first(set
);
73 if (current
!= task
&& !capable(CAP_SYS_ADMIN
))
79 * called under devcgroup_mutex
81 static int dev_exceptions_copy(struct list_head
*dest
, struct list_head
*orig
)
83 struct dev_exception_item
*ex
, *tmp
, *new;
85 lockdep_assert_held(&devcgroup_mutex
);
87 list_for_each_entry(ex
, orig
, list
) {
88 new = kmemdup(ex
, sizeof(*ex
), GFP_KERNEL
);
91 list_add_tail(&new->list
, dest
);
97 list_for_each_entry_safe(ex
, tmp
, dest
, list
) {
105 * called under devcgroup_mutex
107 static int dev_exception_add(struct dev_cgroup
*dev_cgroup
,
108 struct dev_exception_item
*ex
)
110 struct dev_exception_item
*excopy
, *walk
;
112 lockdep_assert_held(&devcgroup_mutex
);
114 excopy
= kmemdup(ex
, sizeof(*ex
), GFP_KERNEL
);
118 list_for_each_entry(walk
, &dev_cgroup
->exceptions
, list
) {
119 if (walk
->type
!= ex
->type
)
121 if (walk
->major
!= ex
->major
)
123 if (walk
->minor
!= ex
->minor
)
126 walk
->access
|= ex
->access
;
132 list_add_tail_rcu(&excopy
->list
, &dev_cgroup
->exceptions
);
137 * called under devcgroup_mutex
139 static void dev_exception_rm(struct dev_cgroup
*dev_cgroup
,
140 struct dev_exception_item
*ex
)
142 struct dev_exception_item
*walk
, *tmp
;
144 lockdep_assert_held(&devcgroup_mutex
);
146 list_for_each_entry_safe(walk
, tmp
, &dev_cgroup
->exceptions
, list
) {
147 if (walk
->type
!= ex
->type
)
149 if (walk
->major
!= ex
->major
)
151 if (walk
->minor
!= ex
->minor
)
154 walk
->access
&= ~ex
->access
;
156 list_del_rcu(&walk
->list
);
157 kfree_rcu(walk
, rcu
);
162 static void __dev_exception_clean(struct dev_cgroup
*dev_cgroup
)
164 struct dev_exception_item
*ex
, *tmp
;
166 list_for_each_entry_safe(ex
, tmp
, &dev_cgroup
->exceptions
, list
) {
167 list_del_rcu(&ex
->list
);
173 * dev_exception_clean - frees all entries of the exception list
174 * @dev_cgroup: dev_cgroup with the exception list to be cleaned
176 * called under devcgroup_mutex
178 static void dev_exception_clean(struct dev_cgroup
*dev_cgroup
)
180 lockdep_assert_held(&devcgroup_mutex
);
182 __dev_exception_clean(dev_cgroup
);
186 * called from kernel/cgroup.c with cgroup_lock() held.
188 static struct cgroup_subsys_state
*devcgroup_css_alloc(struct cgroup
*cgroup
)
190 struct dev_cgroup
*dev_cgroup
, *parent_dev_cgroup
;
191 struct cgroup
*parent_cgroup
;
194 dev_cgroup
= kzalloc(sizeof(*dev_cgroup
), GFP_KERNEL
);
196 return ERR_PTR(-ENOMEM
);
197 INIT_LIST_HEAD(&dev_cgroup
->exceptions
);
198 parent_cgroup
= cgroup
->parent
;
200 if (parent_cgroup
== NULL
)
201 dev_cgroup
->behavior
= DEVCG_DEFAULT_ALLOW
;
203 parent_dev_cgroup
= cgroup_to_devcgroup(parent_cgroup
);
204 mutex_lock(&devcgroup_mutex
);
205 ret
= dev_exceptions_copy(&dev_cgroup
->exceptions
,
206 &parent_dev_cgroup
->exceptions
);
207 dev_cgroup
->behavior
= parent_dev_cgroup
->behavior
;
208 mutex_unlock(&devcgroup_mutex
);
215 return &dev_cgroup
->css
;
218 static void devcgroup_css_free(struct cgroup
*cgroup
)
220 struct dev_cgroup
*dev_cgroup
;
222 dev_cgroup
= cgroup_to_devcgroup(cgroup
);
223 __dev_exception_clean(dev_cgroup
);
227 #define DEVCG_ALLOW 1
234 static void set_access(char *acc
, short access
)
237 memset(acc
, 0, ACCLEN
);
238 if (access
& ACC_READ
)
240 if (access
& ACC_WRITE
)
242 if (access
& ACC_MKNOD
)
246 static char type_to_char(short type
)
250 if (type
== DEV_CHAR
)
252 if (type
== DEV_BLOCK
)
257 static void set_majmin(char *str
, unsigned m
)
262 sprintf(str
, "%u", m
);
265 static int devcgroup_seq_read(struct cgroup
*cgroup
, struct cftype
*cft
,
268 struct dev_cgroup
*devcgroup
= cgroup_to_devcgroup(cgroup
);
269 struct dev_exception_item
*ex
;
270 char maj
[MAJMINLEN
], min
[MAJMINLEN
], acc
[ACCLEN
];
274 * To preserve the compatibility:
275 * - Only show the "all devices" when the default policy is to allow
276 * - List the exceptions in case the default policy is to deny
277 * This way, the file remains as a "whitelist of devices"
279 if (devcgroup
->behavior
== DEVCG_DEFAULT_ALLOW
) {
280 set_access(acc
, ACC_MASK
);
283 seq_printf(m
, "%c %s:%s %s\n", type_to_char(DEV_ALL
),
286 list_for_each_entry_rcu(ex
, &devcgroup
->exceptions
, list
) {
287 set_access(acc
, ex
->access
);
288 set_majmin(maj
, ex
->major
);
289 set_majmin(min
, ex
->minor
);
290 seq_printf(m
, "%c %s:%s %s\n", type_to_char(ex
->type
),
300 * may_access - verifies if a new exception is part of what is allowed
301 * by a dev cgroup based on the default policy +
302 * exceptions. This is used to make sure a child cgroup
303 * won't have more privileges than its parent or to
304 * verify if a certain access is allowed.
305 * @dev_cgroup: dev cgroup to be tested against
306 * @refex: new exception
308 static int may_access(struct dev_cgroup
*dev_cgroup
,
309 struct dev_exception_item
*refex
)
311 struct dev_exception_item
*ex
;
314 rcu_lockdep_assert(rcu_read_lock_held() ||
315 lockdep_is_held(&devcgroup_mutex
),
316 "device_cgroup::may_access() called without proper synchronization");
318 list_for_each_entry_rcu(ex
, &dev_cgroup
->exceptions
, list
) {
319 if ((refex
->type
& DEV_BLOCK
) && !(ex
->type
& DEV_BLOCK
))
321 if ((refex
->type
& DEV_CHAR
) && !(ex
->type
& DEV_CHAR
))
323 if (ex
->major
!= ~0 && ex
->major
!= refex
->major
)
325 if (ex
->minor
!= ~0 && ex
->minor
!= refex
->minor
)
327 if (refex
->access
& (~ex
->access
))
334 * In two cases we'll consider this new exception valid:
335 * - the dev cgroup has its default policy to allow + exception list:
336 * the new exception should *not* match any of the exceptions
337 * (behavior == DEVCG_DEFAULT_ALLOW, !match)
338 * - the dev cgroup has its default policy to deny + exception list:
339 * the new exception *should* match the exceptions
340 * (behavior == DEVCG_DEFAULT_DENY, match)
342 if ((dev_cgroup
->behavior
== DEVCG_DEFAULT_DENY
) == match
)
349 * when adding a new allow rule to a device exception list, the rule
350 * must be allowed in the parent device
352 static int parent_has_perm(struct dev_cgroup
*childcg
,
353 struct dev_exception_item
*ex
)
355 struct cgroup
*pcg
= childcg
->css
.cgroup
->parent
;
356 struct dev_cgroup
*parent
;
360 parent
= cgroup_to_devcgroup(pcg
);
361 return may_access(parent
, ex
);
365 * may_allow_all - checks if it's possible to change the behavior to
366 * allow based on parent's rules.
367 * @parent: device cgroup's parent
368 * returns: != 0 in case it's allowed, 0 otherwise
370 static inline int may_allow_all(struct dev_cgroup
*parent
)
374 return parent
->behavior
== DEVCG_DEFAULT_ALLOW
;
378 * Modify the exception list using allow/deny rules.
379 * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD
380 * so we can give a container CAP_MKNOD to let it create devices but not
381 * modify the exception list.
382 * It seems likely we'll want to add a CAP_CONTAINER capability to allow
383 * us to also grant CAP_SYS_ADMIN to containers without giving away the
384 * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN
386 * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting
387 * new access is only allowed if you're in the top-level cgroup, or your
388 * parent cgroup has the access you're asking for.
390 static int devcgroup_update_access(struct dev_cgroup
*devcgroup
,
391 int filetype
, const char *buffer
)
394 char temp
[12]; /* 11 + 1 characters needed for a u32 */
396 struct dev_exception_item ex
;
397 struct cgroup
*p
= devcgroup
->css
.cgroup
;
398 struct dev_cgroup
*parent
= NULL
;
400 if (!capable(CAP_SYS_ADMIN
))
404 parent
= cgroup_to_devcgroup(p
->parent
);
406 memset(&ex
, 0, sizeof(ex
));
413 if (!may_allow_all(parent
))
415 dev_exception_clean(devcgroup
);
416 devcgroup
->behavior
= DEVCG_DEFAULT_ALLOW
;
420 rc
= dev_exceptions_copy(&devcgroup
->exceptions
,
421 &parent
->exceptions
);
426 dev_exception_clean(devcgroup
);
427 devcgroup
->behavior
= DEVCG_DEFAULT_DENY
;
449 } else if (isdigit(*b
)) {
450 memset(temp
, 0, sizeof(temp
));
451 for (count
= 0; count
< sizeof(temp
) - 1; count
++) {
457 rc
= kstrtou32(temp
, 10, &ex
.major
);
471 } else if (isdigit(*b
)) {
472 memset(temp
, 0, sizeof(temp
));
473 for (count
= 0; count
< sizeof(temp
) - 1; count
++) {
479 rc
= kstrtou32(temp
, 10, &ex
.minor
);
487 for (b
++, count
= 0; count
< 3; count
++, b
++) {
490 ex
.access
|= ACC_READ
;
493 ex
.access
|= ACC_WRITE
;
496 ex
.access
|= ACC_MKNOD
;
509 if (!parent_has_perm(devcgroup
, &ex
))
512 * If the default policy is to allow by default, try to remove
513 * an matching exception instead. And be silent about it: we
514 * don't want to break compatibility
516 if (devcgroup
->behavior
== DEVCG_DEFAULT_ALLOW
) {
517 dev_exception_rm(devcgroup
, &ex
);
520 return dev_exception_add(devcgroup
, &ex
);
523 * If the default policy is to deny by default, try to remove
524 * an matching exception instead. And be silent about it: we
525 * don't want to break compatibility
527 if (devcgroup
->behavior
== DEVCG_DEFAULT_DENY
) {
528 dev_exception_rm(devcgroup
, &ex
);
531 return dev_exception_add(devcgroup
, &ex
);
538 static int devcgroup_access_write(struct cgroup
*cgrp
, struct cftype
*cft
,
543 mutex_lock(&devcgroup_mutex
);
544 retval
= devcgroup_update_access(cgroup_to_devcgroup(cgrp
),
545 cft
->private, buffer
);
546 mutex_unlock(&devcgroup_mutex
);
550 static struct cftype dev_cgroup_files
[] = {
553 .write_string
= devcgroup_access_write
,
554 .private = DEVCG_ALLOW
,
558 .write_string
= devcgroup_access_write
,
559 .private = DEVCG_DENY
,
563 .read_seq_string
= devcgroup_seq_read
,
564 .private = DEVCG_LIST
,
569 struct cgroup_subsys devices_subsys
= {
571 .can_attach
= devcgroup_can_attach
,
572 .css_alloc
= devcgroup_css_alloc
,
573 .css_free
= devcgroup_css_free
,
574 .subsys_id
= devices_subsys_id
,
575 .base_cftypes
= dev_cgroup_files
,
578 * While devices cgroup has the rudimentary hierarchy support which
579 * checks the parent's restriction, it doesn't properly propagates
580 * config changes in ancestors to their descendents. A child
581 * should only be allowed to add more restrictions to the parent's
582 * configuration. Fix it and remove the following.
584 .broken_hierarchy
= true,
588 * __devcgroup_check_permission - checks if an inode operation is permitted
589 * @dev_cgroup: the dev cgroup to be tested against
591 * @major: device major number
592 * @minor: device minor number
593 * @access: combination of ACC_WRITE, ACC_READ and ACC_MKNOD
595 * returns 0 on success, -EPERM case the operation is not permitted
597 static int __devcgroup_check_permission(short type
, u32 major
, u32 minor
,
600 struct dev_cgroup
*dev_cgroup
;
601 struct dev_exception_item ex
;
604 memset(&ex
, 0, sizeof(ex
));
611 dev_cgroup
= task_devcgroup(current
);
612 rc
= may_access(dev_cgroup
, &ex
);
621 int __devcgroup_inode_permission(struct inode
*inode
, int mask
)
623 short type
, access
= 0;
625 if (S_ISBLK(inode
->i_mode
))
627 if (S_ISCHR(inode
->i_mode
))
629 if (mask
& MAY_WRITE
)
634 return __devcgroup_check_permission(type
, imajor(inode
), iminor(inode
),
638 int devcgroup_inode_mknod(int mode
, dev_t dev
)
642 if (!S_ISBLK(mode
) && !S_ISCHR(mode
))
650 return __devcgroup_check_permission(type
, MAJOR(dev
), MINOR(dev
),