devcg: propagate local changes down the hierarchy

This patch makes exception changes to propagate down in hierarchy respecting when possible local exceptions. New exceptions allowing additional access to devices won't be propagated, but it'll be possible to add an exception to access all of part of the newly allowed device(s). New exceptions disallowing access to devices will be propagated down and the local group's exceptions will be revalidated for the new situation. Example: A / \ B group behavior exceptions A allow "b 8:* rwm", "c 116:1 rw" B deny "c 1:3 rwm", "c 116:2 rwm", "b 3:* rwm" If a new exception is added to group A: # echo "c 116:* r" > A/devices.deny it'll propagate down and after revalidating B's local exceptions, the exception "c 116:2 rwm" will be removed. In case parent's exceptions change and local exceptions are not allowed anymore, they'll be deleted. v7: - do not allow behavior change when the cgroup has children - update documentation v6: fixed issues pointed by Serge Hallyn - only copy parent's exceptions while propagating behavior if the local behavior is different - while propagating exceptions, do not clear and copy parent's: it'd be against the premise we don't propagate access to more devices v5: fixed issues pointed by Serge Hallyn - updated documentation - not propagating when an exception is written to devices.allow - when propagating a new behavior, clean the local exceptions list if they're for a different behavior v4: fixed issues pointed by Tejun Heo - separated function to walk the tree and collect valid propagation targets v3: fixed issues pointed by Tejun Heo - update documentation - move css_online/css_offline changes to a new patch - use cgroup_for_each_descendant_pre() instead of own descendant walk - move exception_copy rework to a separared patch - move exception_clean rework to a separated patch v2: fixed issues pointed by Tejun Heo - instead of keeping the local settings that won't apply anymore, remove them Cc: Tejun Heo <tj@kernel.org> Cc: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Aristeu Rozanski <aris@redhat.com> Signed-off-by: Tejun Heo <tj@kernel.org>
author: Aristeu Rozanski <aris@redhat.com> 2013-02-15 11:55:47 -0500
committer: Tejun Heo <tj@kernel.org> 2013-03-20 10:50:21 -0400
commit: bd2953ebbb533aeda9b86c82a53d5197a9a38f1b (patch)
tree: b59a35d956a8223d7f68b8d7190a3d14ebf29580 /Documentation/cgroups
parent: 1909554c9715e4d032497993bb56f2726bfa89ae (diff)
1 files changed, 67 insertions, 3 deletions
diff --git a/Documentation/cgroups/devices.txt b/Documentation/cgroups/devices.txt
index 16624a7f8222..3c1095ca02ea 100644
--- a/Documentation/cgroups/devices.txt
+++ b/Documentation/cgroups/devices.txt
@@ -13,9 +13,7 @@ either an integer or * for all.  Access is a composition of r
 The root device cgroup starts with rwm to 'all'.  A child device
 cgroup gets a copy of the parent.  Administrators can then remove
 devices from the whitelist or add new entries.  A child cgroup can
-never receive a device access which is denied by its parent.  However
+never receive a device access which is denied by its parent.
-when a device access is removed from a parent it will not also be
-removed from the child(ren).
 2. User Interface
@@ -50,3 +48,69 @@ task to a new cgroup.  (Again we'll probably want to change that).
 A cgroup may not be granted more permissions than the cgroup's
 parent has.
+4. Hierarchy
+device cgroups maintain hierarchy by making sure a cgroup never has more
+access permissions than its parent.  Every time an entry is written to
+a cgroup's devices.deny file, all its children will have that entry removed
+from their whitelist and all the locally set whitelist entries will be
+re-evaluated.  In case one of the locally set whitelist entries would provide
+more access than the cgroup's parent, it'll be removed from the whitelist.
+Example:
+      A
+     / \
+        B
+    group        behavior       exceptions
+    A            allow          "b 8:* rwm", "c 116:1 rw"
+    B            deny           "c 1:3 rwm", "c 116:2 rwm", "b 3:* rwm"
+If a device is denied in group A:
+        # echo "c 116:* r" > A/devices.deny
+it'll propagate down and after revalidating B's entries, the whitelist entry
+"c 116:2 rwm" will be removed:
+    group        whitelist entries                        denied devices
+    A            all                                      "b 8:* rwm", "c 116:* rw"
+    B            "c 1:3 rwm", "b 3:* rwm"                 all the rest
+In case parent's exceptions change and local exceptions are not allowed
+anymore, they'll be deleted.
+Notice that new whitelist entries will not be propagated:
+      A
+     / \
+        B
+    group        whitelist entries                        denied devices
+    A            "c 1:3 rwm", "c 1:5 r"                   all the rest
+    B            "c 1:3 rwm", "c 1:5 r"                   all the rest
+when adding "c *:3 rwm":
+        # echo "c *:3 rwm" >A/devices.allow
+the result:
+    group        whitelist entries                        denied devices
+    A            "c *:3 rwm", "c 1:5 r"                   all the rest
+    B            "c 1:3 rwm", "c 1:5 r"                   all the rest
+but now it'll be possible to add new entries to B:
+        # echo "c 2:3 rwm" >B/devices.allow
+        # echo "c 50:3 r" >B/devices.allow
+or even
+        # echo "c *:3 rwm" >B/devices.allow
+Allowing or denying all by writing 'a' to devices.allow or devices.deny will
+not be possible once the device cgroups has children.
+4.1 Hierarchy (internal implementation)
+device cgroups is implemented internally using a behavior (ALLOW, DENY) and a
+list of exceptions.  The internal state is controlled using the same user
+interface to preserve compatibility with the previous whitelist-only
+implementation.  Removal or addition of exceptions that will reduce the access
+to devices will be propagated down the hierarchy.
+For every propagated exception, the effective rules will be re-evaluated based
+on current parent's access rules.
author	Aristeu Rozanski <aris@redhat.com>	2013-02-15 11:55:47 -0500
committer	Tejun Heo <tj@kernel.org>	2013-03-20 10:50:21 -0400
commit	bd2953ebbb533aeda9b86c82a53d5197a9a38f1b (patch)
tree	b59a35d956a8223d7f68b8d7190a3d14ebf29580 /Documentation/cgroups
parent	1909554c9715e4d032497993bb56f2726bfa89ae (diff)

diff --git a/Documentation/cgroups/devices.txt b/Documentation/cgroups/devices.txt index 16624a7f8222..3c1095ca02ea 100644 --- a/Documentation/cgroups/devices.txt +++ b/Documentation/cgroups/devices.txt
@@ -13,9 +13,7 @@ either an integer or * for all. Access is a composition of r
13	The root device cgroup starts with rwm to 'all'. A child device	13	The root device cgroup starts with rwm to 'all'. A child device
14	cgroup gets a copy of the parent. Administrators can then remove	14	cgroup gets a copy of the parent. Administrators can then remove
15	devices from the whitelist or add new entries. A child cgroup can	15	devices from the whitelist or add new entries. A child cgroup can
16	never receive a device access which is denied by its parent. However	16	never receive a device access which is denied by its parent.
17	when a device access is removed from a parent it will not also be
18	removed from the child(ren).
19		17
20	2. User Interface	18	2. User Interface
21		19
@@ -50,3 +48,69 @@ task to a new cgroup. (Again we'll probably want to change that).
50		48
51	A cgroup may not be granted more permissions than the cgroup's	49	A cgroup may not be granted more permissions than the cgroup's
52	parent has.	50	parent has.
		51
		52	4. Hierarchy
		53
		54	device cgroups maintain hierarchy by making sure a cgroup never has more
		55	access permissions than its parent. Every time an entry is written to
		56	a cgroup's devices.deny file, all its children will have that entry removed
		57	from their whitelist and all the locally set whitelist entries will be
		58	re-evaluated. In case one of the locally set whitelist entries would provide
		59	more access than the cgroup's parent, it'll be removed from the whitelist.
		60
		61	Example:
		62	A
		63	/ \
		64	B
		65
		66	group behavior exceptions
		67	A allow "b 8:* rwm", "c 116:1 rw"
		68	B deny "c 1:3 rwm", "c 116:2 rwm", "b 3:* rwm"
		69
		70	If a device is denied in group A:
		71	# echo "c 116:* r" > A/devices.deny
		72	it'll propagate down and after revalidating B's entries, the whitelist entry
		73	"c 116:2 rwm" will be removed:
		74
		75	group whitelist entries denied devices
		76	A all "b 8:* rwm", "c 116:* rw"
		77	B "c 1:3 rwm", "b 3:* rwm" all the rest
		78
		79	In case parent's exceptions change and local exceptions are not allowed
		80	anymore, they'll be deleted.
		81
		82	Notice that new whitelist entries will not be propagated:
		83	A
		84	/ \
		85	B
		86
		87	group whitelist entries denied devices
		88	A "c 1:3 rwm", "c 1:5 r" all the rest
		89	B "c 1:3 rwm", "c 1:5 r" all the rest
		90
		91	when adding "c *:3 rwm":
		92	# echo "c *:3 rwm" >A/devices.allow
		93
		94	the result:
		95	group whitelist entries denied devices
		96	A "c *:3 rwm", "c 1:5 r" all the rest
		97	B "c 1:3 rwm", "c 1:5 r" all the rest
		98
		99	but now it'll be possible to add new entries to B:
		100	# echo "c 2:3 rwm" >B/devices.allow
		101	# echo "c 50:3 r" >B/devices.allow
		102	or even
		103	# echo "c *:3 rwm" >B/devices.allow
		104
		105	Allowing or denying all by writing 'a' to devices.allow or devices.deny will
		106	not be possible once the device cgroups has children.
		107
		108	4.1 Hierarchy (internal implementation)
		109
		110	device cgroups is implemented internally using a behavior (ALLOW, DENY) and a
		111	list of exceptions. The internal state is controlled using the same user
		112	interface to preserve compatibility with the previous whitelist-only
		113	implementation. Removal or addition of exceptions that will reduce the access
		114	to devices will be propagated down the hierarchy.
		115	For every propagated exception, the effective rules will be re-evaluated based
		116	on current parent's access rules.