1*da82c92fSMauro Carvalho Chehab=========================== 2*da82c92fSMauro Carvalho ChehabDevice Whitelist Controller 3*da82c92fSMauro Carvalho Chehab=========================== 4*da82c92fSMauro Carvalho Chehab 5*da82c92fSMauro Carvalho Chehab1. Description 6*da82c92fSMauro Carvalho Chehab============== 7*da82c92fSMauro Carvalho Chehab 8*da82c92fSMauro Carvalho ChehabImplement a cgroup to track and enforce open and mknod restrictions 9*da82c92fSMauro Carvalho Chehabon device files. A device cgroup associates a device access 10*da82c92fSMauro Carvalho Chehabwhitelist with each cgroup. A whitelist entry has 4 fields. 11*da82c92fSMauro Carvalho Chehab'type' is a (all), c (char), or b (block). 'all' means it applies 12*da82c92fSMauro Carvalho Chehabto all types and all major and minor numbers. Major and minor are 13*da82c92fSMauro Carvalho Chehabeither an integer or * for all. Access is a composition of r 14*da82c92fSMauro Carvalho Chehab(read), w (write), and m (mknod). 15*da82c92fSMauro Carvalho Chehab 16*da82c92fSMauro Carvalho ChehabThe root device cgroup starts with rwm to 'all'. A child device 17*da82c92fSMauro Carvalho Chehabcgroup gets a copy of the parent. Administrators can then remove 18*da82c92fSMauro Carvalho Chehabdevices from the whitelist or add new entries. A child cgroup can 19*da82c92fSMauro Carvalho Chehabnever receive a device access which is denied by its parent. 20*da82c92fSMauro Carvalho Chehab 21*da82c92fSMauro Carvalho Chehab2. User Interface 22*da82c92fSMauro Carvalho Chehab================= 23*da82c92fSMauro Carvalho Chehab 24*da82c92fSMauro Carvalho ChehabAn entry is added using devices.allow, and removed using 25*da82c92fSMauro Carvalho Chehabdevices.deny. For instance:: 26*da82c92fSMauro Carvalho Chehab 27*da82c92fSMauro Carvalho Chehab echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow 28*da82c92fSMauro Carvalho Chehab 29*da82c92fSMauro Carvalho Chehaballows cgroup 1 to read and mknod the device usually known as 30*da82c92fSMauro Carvalho Chehab/dev/null. Doing:: 31*da82c92fSMauro Carvalho Chehab 32*da82c92fSMauro Carvalho Chehab echo a > /sys/fs/cgroup/1/devices.deny 33*da82c92fSMauro Carvalho Chehab 34*da82c92fSMauro Carvalho Chehabwill remove the default 'a *:* rwm' entry. Doing:: 35*da82c92fSMauro Carvalho Chehab 36*da82c92fSMauro Carvalho Chehab echo a > /sys/fs/cgroup/1/devices.allow 37*da82c92fSMauro Carvalho Chehab 38*da82c92fSMauro Carvalho Chehabwill add the 'a *:* rwm' entry to the whitelist. 39*da82c92fSMauro Carvalho Chehab 40*da82c92fSMauro Carvalho Chehab3. Security 41*da82c92fSMauro Carvalho Chehab=========== 42*da82c92fSMauro Carvalho Chehab 43*da82c92fSMauro Carvalho ChehabAny task can move itself between cgroups. This clearly won't 44*da82c92fSMauro Carvalho Chehabsuffice, but we can decide the best way to adequately restrict 45*da82c92fSMauro Carvalho Chehabmovement as people get some experience with this. We may just want 46*da82c92fSMauro Carvalho Chehabto require CAP_SYS_ADMIN, which at least is a separate bit from 47*da82c92fSMauro Carvalho ChehabCAP_MKNOD. We may want to just refuse moving to a cgroup which 48*da82c92fSMauro Carvalho Chehabisn't a descendant of the current one. Or we may want to use 49*da82c92fSMauro Carvalho ChehabCAP_MAC_ADMIN, since we really are trying to lock down root. 50*da82c92fSMauro Carvalho Chehab 51*da82c92fSMauro Carvalho ChehabCAP_SYS_ADMIN is needed to modify the whitelist or move another 52*da82c92fSMauro Carvalho Chehabtask to a new cgroup. (Again we'll probably want to change that). 53*da82c92fSMauro Carvalho Chehab 54*da82c92fSMauro Carvalho ChehabA cgroup may not be granted more permissions than the cgroup's 55*da82c92fSMauro Carvalho Chehabparent has. 56*da82c92fSMauro Carvalho Chehab 57*da82c92fSMauro Carvalho Chehab4. Hierarchy 58*da82c92fSMauro Carvalho Chehab============ 59*da82c92fSMauro Carvalho Chehab 60*da82c92fSMauro Carvalho Chehabdevice cgroups maintain hierarchy by making sure a cgroup never has more 61*da82c92fSMauro Carvalho Chehabaccess permissions than its parent. Every time an entry is written to 62*da82c92fSMauro Carvalho Chehaba cgroup's devices.deny file, all its children will have that entry removed 63*da82c92fSMauro Carvalho Chehabfrom their whitelist and all the locally set whitelist entries will be 64*da82c92fSMauro Carvalho Chehabre-evaluated. In case one of the locally set whitelist entries would provide 65*da82c92fSMauro Carvalho Chehabmore access than the cgroup's parent, it'll be removed from the whitelist. 66*da82c92fSMauro Carvalho Chehab 67*da82c92fSMauro Carvalho ChehabExample:: 68*da82c92fSMauro Carvalho Chehab 69*da82c92fSMauro Carvalho Chehab A 70*da82c92fSMauro Carvalho Chehab / \ 71*da82c92fSMauro Carvalho Chehab B 72*da82c92fSMauro Carvalho Chehab 73*da82c92fSMauro Carvalho Chehab group behavior exceptions 74*da82c92fSMauro Carvalho Chehab A allow "b 8:* rwm", "c 116:1 rw" 75*da82c92fSMauro Carvalho Chehab B deny "c 1:3 rwm", "c 116:2 rwm", "b 3:* rwm" 76*da82c92fSMauro Carvalho Chehab 77*da82c92fSMauro Carvalho ChehabIf a device is denied in group A:: 78*da82c92fSMauro Carvalho Chehab 79*da82c92fSMauro Carvalho Chehab # echo "c 116:* r" > A/devices.deny 80*da82c92fSMauro Carvalho Chehab 81*da82c92fSMauro Carvalho Chehabit'll propagate down and after revalidating B's entries, the whitelist entry 82*da82c92fSMauro Carvalho Chehab"c 116:2 rwm" will be removed:: 83*da82c92fSMauro Carvalho Chehab 84*da82c92fSMauro Carvalho Chehab group whitelist entries denied devices 85*da82c92fSMauro Carvalho Chehab A all "b 8:* rwm", "c 116:* rw" 86*da82c92fSMauro Carvalho Chehab B "c 1:3 rwm", "b 3:* rwm" all the rest 87*da82c92fSMauro Carvalho Chehab 88*da82c92fSMauro Carvalho ChehabIn case parent's exceptions change and local exceptions are not allowed 89*da82c92fSMauro Carvalho Chehabanymore, they'll be deleted. 90*da82c92fSMauro Carvalho Chehab 91*da82c92fSMauro Carvalho ChehabNotice that new whitelist entries will not be propagated:: 92*da82c92fSMauro Carvalho Chehab 93*da82c92fSMauro Carvalho Chehab A 94*da82c92fSMauro Carvalho Chehab / \ 95*da82c92fSMauro Carvalho Chehab B 96*da82c92fSMauro Carvalho Chehab 97*da82c92fSMauro Carvalho Chehab group whitelist entries denied devices 98*da82c92fSMauro Carvalho Chehab A "c 1:3 rwm", "c 1:5 r" all the rest 99*da82c92fSMauro Carvalho Chehab B "c 1:3 rwm", "c 1:5 r" all the rest 100*da82c92fSMauro Carvalho Chehab 101*da82c92fSMauro Carvalho Chehabwhen adding ``c *:3 rwm``:: 102*da82c92fSMauro Carvalho Chehab 103*da82c92fSMauro Carvalho Chehab # echo "c *:3 rwm" >A/devices.allow 104*da82c92fSMauro Carvalho Chehab 105*da82c92fSMauro Carvalho Chehabthe result:: 106*da82c92fSMauro Carvalho Chehab 107*da82c92fSMauro Carvalho Chehab group whitelist entries denied devices 108*da82c92fSMauro Carvalho Chehab A "c *:3 rwm", "c 1:5 r" all the rest 109*da82c92fSMauro Carvalho Chehab B "c 1:3 rwm", "c 1:5 r" all the rest 110*da82c92fSMauro Carvalho Chehab 111*da82c92fSMauro Carvalho Chehabbut now it'll be possible to add new entries to B:: 112*da82c92fSMauro Carvalho Chehab 113*da82c92fSMauro Carvalho Chehab # echo "c 2:3 rwm" >B/devices.allow 114*da82c92fSMauro Carvalho Chehab # echo "c 50:3 r" >B/devices.allow 115*da82c92fSMauro Carvalho Chehab 116*da82c92fSMauro Carvalho Chehabor even:: 117*da82c92fSMauro Carvalho Chehab 118*da82c92fSMauro Carvalho Chehab # echo "c *:3 rwm" >B/devices.allow 119*da82c92fSMauro Carvalho Chehab 120*da82c92fSMauro Carvalho ChehabAllowing or denying all by writing 'a' to devices.allow or devices.deny will 121*da82c92fSMauro Carvalho Chehabnot be possible once the device cgroups has children. 122*da82c92fSMauro Carvalho Chehab 123*da82c92fSMauro Carvalho Chehab4.1 Hierarchy (internal implementation) 124*da82c92fSMauro Carvalho Chehab--------------------------------------- 125*da82c92fSMauro Carvalho Chehab 126*da82c92fSMauro Carvalho Chehabdevice cgroups is implemented internally using a behavior (ALLOW, DENY) and a 127*da82c92fSMauro Carvalho Chehablist of exceptions. The internal state is controlled using the same user 128*da82c92fSMauro Carvalho Chehabinterface to preserve compatibility with the previous whitelist-only 129*da82c92fSMauro Carvalho Chehabimplementation. Removal or addition of exceptions that will reduce the access 130*da82c92fSMauro Carvalho Chehabto devices will be propagated down the hierarchy. 131*da82c92fSMauro Carvalho ChehabFor every propagated exception, the effective rules will be re-evaluated based 132*da82c92fSMauro Carvalho Chehabon current parent's access rules. 133