1 /* 2 * device_cgroup.c - device cgroup subsystem 3 * 4 * Copyright 2007 IBM Corp 5 */ 6 7 #include <linux/device_cgroup.h> 8 #include <linux/cgroup.h> 9 #include <linux/ctype.h> 10 #include <linux/list.h> 11 #include <linux/uaccess.h> 12 #include <linux/seq_file.h> 13 #include <linux/slab.h> 14 #include <linux/rcupdate.h> 15 #include <linux/mutex.h> 16 17 #define ACC_MKNOD 1 18 #define ACC_READ 2 19 #define ACC_WRITE 4 20 #define ACC_MASK (ACC_MKNOD | ACC_READ | ACC_WRITE) 21 22 #define DEV_BLOCK 1 23 #define DEV_CHAR 2 24 #define DEV_ALL 4 /* this represents all devices */ 25 26 static DEFINE_MUTEX(devcgroup_mutex); 27 28 enum devcg_behavior { 29 DEVCG_DEFAULT_NONE, 30 DEVCG_DEFAULT_ALLOW, 31 DEVCG_DEFAULT_DENY, 32 }; 33 34 /* 35 * exception list locking rules: 36 * hold devcgroup_mutex for update/read. 37 * hold rcu_read_lock() for read. 38 */ 39 40 struct dev_exception_item { 41 u32 major, minor; 42 short type; 43 short access; 44 struct list_head list; 45 struct rcu_head rcu; 46 }; 47 48 struct dev_cgroup { 49 struct cgroup_subsys_state css; 50 struct list_head exceptions; 51 enum devcg_behavior behavior; 52 }; 53 54 static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) 55 { 56 return s ? container_of(s, struct dev_cgroup, css) : NULL; 57 } 58 59 static inline struct dev_cgroup *cgroup_to_devcgroup(struct cgroup *cgroup) 60 { 61 return css_to_devcgroup(cgroup_css(cgroup, devices_subsys_id)); 62 } 63 64 static inline struct dev_cgroup *task_devcgroup(struct task_struct *task) 65 { 66 return css_to_devcgroup(task_css(task, devices_subsys_id)); 67 } 68 69 struct cgroup_subsys devices_subsys; 70 71 static int devcgroup_can_attach(struct cgroup_subsys_state *new_css, 72 struct cgroup_taskset *set) 73 { 74 struct task_struct *task = cgroup_taskset_first(set); 75 76 if (current != task && !capable(CAP_SYS_ADMIN)) 77 return -EPERM; 78 return 0; 79 } 80 81 /* 82 * called under devcgroup_mutex 83 */ 84 static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig) 85 { 86 struct dev_exception_item *ex, *tmp, *new; 87 88 lockdep_assert_held(&devcgroup_mutex); 89 90 list_for_each_entry(ex, orig, list) { 91 new = kmemdup(ex, sizeof(*ex), GFP_KERNEL); 92 if (!new) 93 goto free_and_exit; 94 list_add_tail(&new->list, dest); 95 } 96 97 return 0; 98 99 free_and_exit: 100 list_for_each_entry_safe(ex, tmp, dest, list) { 101 list_del(&ex->list); 102 kfree(ex); 103 } 104 return -ENOMEM; 105 } 106 107 /* 108 * called under devcgroup_mutex 109 */ 110 static int dev_exception_add(struct dev_cgroup *dev_cgroup, 111 struct dev_exception_item *ex) 112 { 113 struct dev_exception_item *excopy, *walk; 114 115 lockdep_assert_held(&devcgroup_mutex); 116 117 excopy = kmemdup(ex, sizeof(*ex), GFP_KERNEL); 118 if (!excopy) 119 return -ENOMEM; 120 121 list_for_each_entry(walk, &dev_cgroup->exceptions, list) { 122 if (walk->type != ex->type) 123 continue; 124 if (walk->major != ex->major) 125 continue; 126 if (walk->minor != ex->minor) 127 continue; 128 129 walk->access |= ex->access; 130 kfree(excopy); 131 excopy = NULL; 132 } 133 134 if (excopy != NULL) 135 list_add_tail_rcu(&excopy->list, &dev_cgroup->exceptions); 136 return 0; 137 } 138 139 /* 140 * called under devcgroup_mutex 141 */ 142 static void dev_exception_rm(struct dev_cgroup *dev_cgroup, 143 struct dev_exception_item *ex) 144 { 145 struct dev_exception_item *walk, *tmp; 146 147 lockdep_assert_held(&devcgroup_mutex); 148 149 list_for_each_entry_safe(walk, tmp, &dev_cgroup->exceptions, list) { 150 if (walk->type != ex->type) 151 continue; 152 if (walk->major != ex->major) 153 continue; 154 if (walk->minor != ex->minor) 155 continue; 156 157 walk->access &= ~ex->access; 158 if (!walk->access) { 159 list_del_rcu(&walk->list); 160 kfree_rcu(walk, rcu); 161 } 162 } 163 } 164 165 static void __dev_exception_clean(struct dev_cgroup *dev_cgroup) 166 { 167 struct dev_exception_item *ex, *tmp; 168 169 list_for_each_entry_safe(ex, tmp, &dev_cgroup->exceptions, list) { 170 list_del_rcu(&ex->list); 171 kfree_rcu(ex, rcu); 172 } 173 } 174 175 /** 176 * dev_exception_clean - frees all entries of the exception list 177 * @dev_cgroup: dev_cgroup with the exception list to be cleaned 178 * 179 * called under devcgroup_mutex 180 */ 181 static void dev_exception_clean(struct dev_cgroup *dev_cgroup) 182 { 183 lockdep_assert_held(&devcgroup_mutex); 184 185 __dev_exception_clean(dev_cgroup); 186 } 187 188 static inline bool is_devcg_online(const struct dev_cgroup *devcg) 189 { 190 return (devcg->behavior != DEVCG_DEFAULT_NONE); 191 } 192 193 /** 194 * devcgroup_online - initializes devcgroup's behavior and exceptions based on 195 * parent's 196 * @css: css getting online 197 * returns 0 in case of success, error code otherwise 198 */ 199 static int devcgroup_online(struct cgroup_subsys_state *css) 200 { 201 struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); 202 struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css_parent(css)); 203 int ret = 0; 204 205 mutex_lock(&devcgroup_mutex); 206 207 if (parent_dev_cgroup == NULL) 208 dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW; 209 else { 210 ret = dev_exceptions_copy(&dev_cgroup->exceptions, 211 &parent_dev_cgroup->exceptions); 212 if (!ret) 213 dev_cgroup->behavior = parent_dev_cgroup->behavior; 214 } 215 mutex_unlock(&devcgroup_mutex); 216 217 return ret; 218 } 219 220 static void devcgroup_offline(struct cgroup_subsys_state *css) 221 { 222 struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); 223 224 mutex_lock(&devcgroup_mutex); 225 dev_cgroup->behavior = DEVCG_DEFAULT_NONE; 226 mutex_unlock(&devcgroup_mutex); 227 } 228 229 /* 230 * called from kernel/cgroup.c with cgroup_lock() held. 231 */ 232 static struct cgroup_subsys_state * 233 devcgroup_css_alloc(struct cgroup_subsys_state *parent_css) 234 { 235 struct dev_cgroup *dev_cgroup; 236 237 dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL); 238 if (!dev_cgroup) 239 return ERR_PTR(-ENOMEM); 240 INIT_LIST_HEAD(&dev_cgroup->exceptions); 241 dev_cgroup->behavior = DEVCG_DEFAULT_NONE; 242 243 return &dev_cgroup->css; 244 } 245 246 static void devcgroup_css_free(struct cgroup_subsys_state *css) 247 { 248 struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); 249 250 __dev_exception_clean(dev_cgroup); 251 kfree(dev_cgroup); 252 } 253 254 #define DEVCG_ALLOW 1 255 #define DEVCG_DENY 2 256 #define DEVCG_LIST 3 257 258 #define MAJMINLEN 13 259 #define ACCLEN 4 260 261 static void set_access(char *acc, short access) 262 { 263 int idx = 0; 264 memset(acc, 0, ACCLEN); 265 if (access & ACC_READ) 266 acc[idx++] = 'r'; 267 if (access & ACC_WRITE) 268 acc[idx++] = 'w'; 269 if (access & ACC_MKNOD) 270 acc[idx++] = 'm'; 271 } 272 273 static char type_to_char(short type) 274 { 275 if (type == DEV_ALL) 276 return 'a'; 277 if (type == DEV_CHAR) 278 return 'c'; 279 if (type == DEV_BLOCK) 280 return 'b'; 281 return 'X'; 282 } 283 284 static void set_majmin(char *str, unsigned m) 285 { 286 if (m == ~0) 287 strcpy(str, "*"); 288 else 289 sprintf(str, "%u", m); 290 } 291 292 static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, 293 struct seq_file *m) 294 { 295 struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup); 296 struct dev_exception_item *ex; 297 char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN]; 298 299 rcu_read_lock(); 300 /* 301 * To preserve the compatibility: 302 * - Only show the "all devices" when the default policy is to allow 303 * - List the exceptions in case the default policy is to deny 304 * This way, the file remains as a "whitelist of devices" 305 */ 306 if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) { 307 set_access(acc, ACC_MASK); 308 set_majmin(maj, ~0); 309 set_majmin(min, ~0); 310 seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL), 311 maj, min, acc); 312 } else { 313 list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) { 314 set_access(acc, ex->access); 315 set_majmin(maj, ex->major); 316 set_majmin(min, ex->minor); 317 seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type), 318 maj, min, acc); 319 } 320 } 321 rcu_read_unlock(); 322 323 return 0; 324 } 325 326 /** 327 * may_access - verifies if a new exception is part of what is allowed 328 * by a dev cgroup based on the default policy + 329 * exceptions. This is used to make sure a child cgroup 330 * won't have more privileges than its parent or to 331 * verify if a certain access is allowed. 332 * @dev_cgroup: dev cgroup to be tested against 333 * @refex: new exception 334 * @behavior: behavior of the exception 335 */ 336 static bool may_access(struct dev_cgroup *dev_cgroup, 337 struct dev_exception_item *refex, 338 enum devcg_behavior behavior) 339 { 340 struct dev_exception_item *ex; 341 bool match = false; 342 343 rcu_lockdep_assert(rcu_read_lock_held() || 344 lockdep_is_held(&devcgroup_mutex), 345 "device_cgroup::may_access() called without proper synchronization"); 346 347 list_for_each_entry_rcu(ex, &dev_cgroup->exceptions, list) { 348 if ((refex->type & DEV_BLOCK) && !(ex->type & DEV_BLOCK)) 349 continue; 350 if ((refex->type & DEV_CHAR) && !(ex->type & DEV_CHAR)) 351 continue; 352 if (ex->major != ~0 && ex->major != refex->major) 353 continue; 354 if (ex->minor != ~0 && ex->minor != refex->minor) 355 continue; 356 if (refex->access & (~ex->access)) 357 continue; 358 match = true; 359 break; 360 } 361 362 if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW) { 363 if (behavior == DEVCG_DEFAULT_ALLOW) { 364 /* the exception will deny access to certain devices */ 365 return true; 366 } else { 367 /* the exception will allow access to certain devices */ 368 if (match) 369 /* 370 * a new exception allowing access shouldn't 371 * match an parent's exception 372 */ 373 return false; 374 return true; 375 } 376 } else { 377 /* only behavior == DEVCG_DEFAULT_DENY allowed here */ 378 if (match) 379 /* parent has an exception that matches the proposed */ 380 return true; 381 else 382 return false; 383 } 384 return false; 385 } 386 387 /* 388 * parent_has_perm: 389 * when adding a new allow rule to a device exception list, the rule 390 * must be allowed in the parent device 391 */ 392 static int parent_has_perm(struct dev_cgroup *childcg, 393 struct dev_exception_item *ex) 394 { 395 struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css)); 396 397 if (!parent) 398 return 1; 399 return may_access(parent, ex, childcg->behavior); 400 } 401 402 /** 403 * may_allow_all - checks if it's possible to change the behavior to 404 * allow based on parent's rules. 405 * @parent: device cgroup's parent 406 * returns: != 0 in case it's allowed, 0 otherwise 407 */ 408 static inline int may_allow_all(struct dev_cgroup *parent) 409 { 410 if (!parent) 411 return 1; 412 return parent->behavior == DEVCG_DEFAULT_ALLOW; 413 } 414 415 /** 416 * revalidate_active_exceptions - walks through the active exception list and 417 * revalidates the exceptions based on parent's 418 * behavior and exceptions. The exceptions that 419 * are no longer valid will be removed. 420 * Called with devcgroup_mutex held. 421 * @devcg: cgroup which exceptions will be checked 422 * 423 * This is one of the three key functions for hierarchy implementation. 424 * This function is responsible for re-evaluating all the cgroup's active 425 * exceptions due to a parent's exception change. 426 * Refer to Documentation/cgroups/devices.txt for more details. 427 */ 428 static void revalidate_active_exceptions(struct dev_cgroup *devcg) 429 { 430 struct dev_exception_item *ex; 431 struct list_head *this, *tmp; 432 433 list_for_each_safe(this, tmp, &devcg->exceptions) { 434 ex = container_of(this, struct dev_exception_item, list); 435 if (!parent_has_perm(devcg, ex)) 436 dev_exception_rm(devcg, ex); 437 } 438 } 439 440 /** 441 * propagate_exception - propagates a new exception to the children 442 * @devcg_root: device cgroup that added a new exception 443 * @ex: new exception to be propagated 444 * 445 * returns: 0 in case of success, != 0 in case of error 446 */ 447 static int propagate_exception(struct dev_cgroup *devcg_root, 448 struct dev_exception_item *ex) 449 { 450 struct cgroup *root = devcg_root->css.cgroup, *pos; 451 int rc = 0; 452 453 rcu_read_lock(); 454 455 cgroup_for_each_descendant_pre(pos, root) { 456 struct dev_cgroup *devcg = cgroup_to_devcgroup(pos); 457 458 /* 459 * Because devcgroup_mutex is held, no devcg will become 460 * online or offline during the tree walk (see on/offline 461 * methods), and online ones are safe to access outside RCU 462 * read lock without bumping refcnt. 463 */ 464 if (!is_devcg_online(devcg)) 465 continue; 466 467 rcu_read_unlock(); 468 469 /* 470 * in case both root's behavior and devcg is allow, a new 471 * restriction means adding to the exception list 472 */ 473 if (devcg_root->behavior == DEVCG_DEFAULT_ALLOW && 474 devcg->behavior == DEVCG_DEFAULT_ALLOW) { 475 rc = dev_exception_add(devcg, ex); 476 if (rc) 477 break; 478 } else { 479 /* 480 * in the other possible cases: 481 * root's behavior: allow, devcg's: deny 482 * root's behavior: deny, devcg's: deny 483 * the exception will be removed 484 */ 485 dev_exception_rm(devcg, ex); 486 } 487 revalidate_active_exceptions(devcg); 488 489 rcu_read_lock(); 490 } 491 492 rcu_read_unlock(); 493 return rc; 494 } 495 496 static inline bool has_children(struct dev_cgroup *devcgroup) 497 { 498 struct cgroup *cgrp = devcgroup->css.cgroup; 499 500 return !list_empty(&cgrp->children); 501 } 502 503 /* 504 * Modify the exception list using allow/deny rules. 505 * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD 506 * so we can give a container CAP_MKNOD to let it create devices but not 507 * modify the exception list. 508 * It seems likely we'll want to add a CAP_CONTAINER capability to allow 509 * us to also grant CAP_SYS_ADMIN to containers without giving away the 510 * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN 511 * 512 * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting 513 * new access is only allowed if you're in the top-level cgroup, or your 514 * parent cgroup has the access you're asking for. 515 */ 516 static int devcgroup_update_access(struct dev_cgroup *devcgroup, 517 int filetype, const char *buffer) 518 { 519 const char *b; 520 char temp[12]; /* 11 + 1 characters needed for a u32 */ 521 int count, rc = 0; 522 struct dev_exception_item ex; 523 struct dev_cgroup *parent = css_to_devcgroup(css_parent(&devcgroup->css)); 524 525 if (!capable(CAP_SYS_ADMIN)) 526 return -EPERM; 527 528 memset(&ex, 0, sizeof(ex)); 529 b = buffer; 530 531 switch (*b) { 532 case 'a': 533 switch (filetype) { 534 case DEVCG_ALLOW: 535 if (has_children(devcgroup)) 536 return -EINVAL; 537 538 if (!may_allow_all(parent)) 539 return -EPERM; 540 dev_exception_clean(devcgroup); 541 devcgroup->behavior = DEVCG_DEFAULT_ALLOW; 542 if (!parent) 543 break; 544 545 rc = dev_exceptions_copy(&devcgroup->exceptions, 546 &parent->exceptions); 547 if (rc) 548 return rc; 549 break; 550 case DEVCG_DENY: 551 if (has_children(devcgroup)) 552 return -EINVAL; 553 554 dev_exception_clean(devcgroup); 555 devcgroup->behavior = DEVCG_DEFAULT_DENY; 556 break; 557 default: 558 return -EINVAL; 559 } 560 return 0; 561 case 'b': 562 ex.type = DEV_BLOCK; 563 break; 564 case 'c': 565 ex.type = DEV_CHAR; 566 break; 567 default: 568 return -EINVAL; 569 } 570 b++; 571 if (!isspace(*b)) 572 return -EINVAL; 573 b++; 574 if (*b == '*') { 575 ex.major = ~0; 576 b++; 577 } else if (isdigit(*b)) { 578 memset(temp, 0, sizeof(temp)); 579 for (count = 0; count < sizeof(temp) - 1; count++) { 580 temp[count] = *b; 581 b++; 582 if (!isdigit(*b)) 583 break; 584 } 585 rc = kstrtou32(temp, 10, &ex.major); 586 if (rc) 587 return -EINVAL; 588 } else { 589 return -EINVAL; 590 } 591 if (*b != ':') 592 return -EINVAL; 593 b++; 594 595 /* read minor */ 596 if (*b == '*') { 597 ex.minor = ~0; 598 b++; 599 } else if (isdigit(*b)) { 600 memset(temp, 0, sizeof(temp)); 601 for (count = 0; count < sizeof(temp) - 1; count++) { 602 temp[count] = *b; 603 b++; 604 if (!isdigit(*b)) 605 break; 606 } 607 rc = kstrtou32(temp, 10, &ex.minor); 608 if (rc) 609 return -EINVAL; 610 } else { 611 return -EINVAL; 612 } 613 if (!isspace(*b)) 614 return -EINVAL; 615 for (b++, count = 0; count < 3; count++, b++) { 616 switch (*b) { 617 case 'r': 618 ex.access |= ACC_READ; 619 break; 620 case 'w': 621 ex.access |= ACC_WRITE; 622 break; 623 case 'm': 624 ex.access |= ACC_MKNOD; 625 break; 626 case '\n': 627 case '\0': 628 count = 3; 629 break; 630 default: 631 return -EINVAL; 632 } 633 } 634 635 switch (filetype) { 636 case DEVCG_ALLOW: 637 if (!parent_has_perm(devcgroup, &ex)) 638 return -EPERM; 639 /* 640 * If the default policy is to allow by default, try to remove 641 * an matching exception instead. And be silent about it: we 642 * don't want to break compatibility 643 */ 644 if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) { 645 dev_exception_rm(devcgroup, &ex); 646 return 0; 647 } 648 rc = dev_exception_add(devcgroup, &ex); 649 break; 650 case DEVCG_DENY: 651 /* 652 * If the default policy is to deny by default, try to remove 653 * an matching exception instead. And be silent about it: we 654 * don't want to break compatibility 655 */ 656 if (devcgroup->behavior == DEVCG_DEFAULT_DENY) 657 dev_exception_rm(devcgroup, &ex); 658 else 659 rc = dev_exception_add(devcgroup, &ex); 660 661 if (rc) 662 break; 663 /* we only propagate new restrictions */ 664 rc = propagate_exception(devcgroup, &ex); 665 break; 666 default: 667 rc = -EINVAL; 668 } 669 return rc; 670 } 671 672 static int devcgroup_access_write(struct cgroup *cgrp, struct cftype *cft, 673 const char *buffer) 674 { 675 int retval; 676 677 mutex_lock(&devcgroup_mutex); 678 retval = devcgroup_update_access(cgroup_to_devcgroup(cgrp), 679 cft->private, buffer); 680 mutex_unlock(&devcgroup_mutex); 681 return retval; 682 } 683 684 static struct cftype dev_cgroup_files[] = { 685 { 686 .name = "allow", 687 .write_string = devcgroup_access_write, 688 .private = DEVCG_ALLOW, 689 }, 690 { 691 .name = "deny", 692 .write_string = devcgroup_access_write, 693 .private = DEVCG_DENY, 694 }, 695 { 696 .name = "list", 697 .read_seq_string = devcgroup_seq_read, 698 .private = DEVCG_LIST, 699 }, 700 { } /* terminate */ 701 }; 702 703 struct cgroup_subsys devices_subsys = { 704 .name = "devices", 705 .can_attach = devcgroup_can_attach, 706 .css_alloc = devcgroup_css_alloc, 707 .css_free = devcgroup_css_free, 708 .css_online = devcgroup_online, 709 .css_offline = devcgroup_offline, 710 .subsys_id = devices_subsys_id, 711 .base_cftypes = dev_cgroup_files, 712 }; 713 714 /** 715 * __devcgroup_check_permission - checks if an inode operation is permitted 716 * @dev_cgroup: the dev cgroup to be tested against 717 * @type: device type 718 * @major: device major number 719 * @minor: device minor number 720 * @access: combination of ACC_WRITE, ACC_READ and ACC_MKNOD 721 * 722 * returns 0 on success, -EPERM case the operation is not permitted 723 */ 724 static int __devcgroup_check_permission(short type, u32 major, u32 minor, 725 short access) 726 { 727 struct dev_cgroup *dev_cgroup; 728 struct dev_exception_item ex; 729 int rc; 730 731 memset(&ex, 0, sizeof(ex)); 732 ex.type = type; 733 ex.major = major; 734 ex.minor = minor; 735 ex.access = access; 736 737 rcu_read_lock(); 738 dev_cgroup = task_devcgroup(current); 739 rc = may_access(dev_cgroup, &ex, dev_cgroup->behavior); 740 rcu_read_unlock(); 741 742 if (!rc) 743 return -EPERM; 744 745 return 0; 746 } 747 748 int __devcgroup_inode_permission(struct inode *inode, int mask) 749 { 750 short type, access = 0; 751 752 if (S_ISBLK(inode->i_mode)) 753 type = DEV_BLOCK; 754 if (S_ISCHR(inode->i_mode)) 755 type = DEV_CHAR; 756 if (mask & MAY_WRITE) 757 access |= ACC_WRITE; 758 if (mask & MAY_READ) 759 access |= ACC_READ; 760 761 return __devcgroup_check_permission(type, imajor(inode), iminor(inode), 762 access); 763 } 764 765 int devcgroup_inode_mknod(int mode, dev_t dev) 766 { 767 short type; 768 769 if (!S_ISBLK(mode) && !S_ISCHR(mode)) 770 return 0; 771 772 if (S_ISBLK(mode)) 773 type = DEV_BLOCK; 774 else 775 type = DEV_CHAR; 776 777 return __devcgroup_check_permission(type, MAJOR(dev), MINOR(dev), 778 ACC_MKNOD); 779 780 } 781