1 files changed, 67 insertions, 3 deletions
diff --git a/Documentation/cgroups/devices.txt b/Documentation/cgroups/devices.txt
index 16624a7f8222..3c1095ca02ea 100644
--- a/Documentation/cgroups/devices.txt
+++ b/Documentation/cgroups/devices.txt
@@ -13,9 +13,7 @@ either an integer or * for all.  Access is a composition of r
 The root device cgroup starts with rwm to 'all'.  A child device
 cgroup gets a copy of the parent.  Administrators can then remove
 devices from the whitelist or add new entries.  A child cgroup can
-never receive a device access which is denied by its parent.  However
+never receive a device access which is denied by its parent.
-when a device access is removed from a parent it will not also be
-removed from the child(ren).
 2. User Interface
@@ -50,3 +48,69 @@ task to a new cgroup.  (Again we'll probably want to change that).
 A cgroup may not be granted more permissions than the cgroup's
 parent has.
+4. Hierarchy
+device cgroups maintain hierarchy by making sure a cgroup never has more
+access permissions than its parent.  Every time an entry is written to
+a cgroup's devices.deny file, all its children will have that entry removed
+from their whitelist and all the locally set whitelist entries will be
+re-evaluated.  In case one of the locally set whitelist entries would provide
+more access than the cgroup's parent, it'll be removed from the whitelist.
+Example:
+      A
+     / \
+        B
+    group        behavior       exceptions
+    A            allow          "b 8:* rwm", "c 116:1 rw"
+    B            deny           "c 1:3 rwm", "c 116:2 rwm", "b 3:* rwm"
+If a device is denied in group A:
+        # echo "c 116:* r" > A/devices.deny
+it'll propagate down and after revalidating B's entries, the whitelist entry
+"c 116:2 rwm" will be removed:
+    group        whitelist entries                        denied devices
+    A            all                                      "b 8:* rwm", "c 116:* rw"
+    B            "c 1:3 rwm", "b 3:* rwm"                 all the rest
+In case parent's exceptions change and local exceptions are not allowed
+anymore, they'll be deleted.
+Notice that new whitelist entries will not be propagated:
+      A
+     / \
+        B
+    group        whitelist entries                        denied devices
+    A            "c 1:3 rwm", "c 1:5 r"                   all the rest
+    B            "c 1:3 rwm", "c 1:5 r"                   all the rest
+when adding "c *:3 rwm":
+        # echo "c *:3 rwm" >A/devices.allow
+the result:
+    group        whitelist entries                        denied devices
+    A            "c *:3 rwm", "c 1:5 r"                   all the rest
+    B            "c 1:3 rwm", "c 1:5 r"                   all the rest
+but now it'll be possible to add new entries to B:
+        # echo "c 2:3 rwm" >B/devices.allow
+        # echo "c 50:3 r" >B/devices.allow
+or even
+        # echo "c *:3 rwm" >B/devices.allow
+Allowing or denying all by writing 'a' to devices.allow or devices.deny will
+not be possible once the device cgroups has children.
+4.1 Hierarchy (internal implementation)
+device cgroups is implemented internally using a behavior (ALLOW, DENY) and a
+list of exceptions.  The internal state is controlled using the same user
+interface to preserve compatibility with the previous whitelist-only
+implementation.  Removal or addition of exceptions that will reduce the access
+to devices will be propagated down the hierarchy.
+For every propagated exception, the effective rules will be re-evaluated based
+on current parent's access rules.

diff --git a/Documentation/cgroups/devices.txt b/Documentation/cgroups/devices.txt index 16624a7f8222..3c1095ca02ea 100644 --- a/Documentation/cgroups/devices.txt +++ b/Documentation/cgroups/devices.txt
@@ -13,9 +13,7 @@ either an integer or * for all. Access is a composition of r
13	The root device cgroup starts with rwm to 'all'. A child device	13	The root device cgroup starts with rwm to 'all'. A child device
14	cgroup gets a copy of the parent. Administrators can then remove	14	cgroup gets a copy of the parent. Administrators can then remove
15	devices from the whitelist or add new entries. A child cgroup can	15	devices from the whitelist or add new entries. A child cgroup can
16	never receive a device access which is denied by its parent. However	16	never receive a device access which is denied by its parent.
17	when a device access is removed from a parent it will not also be
18	removed from the child(ren).
19		17
20	2. User Interface	18	2. User Interface
21		19
@@ -50,3 +48,69 @@ task to a new cgroup. (Again we'll probably want to change that).
50		48
51	A cgroup may not be granted more permissions than the cgroup's	49	A cgroup may not be granted more permissions than the cgroup's
52	parent has.	50	parent has.
		51
		52	4. Hierarchy
		53
		54	device cgroups maintain hierarchy by making sure a cgroup never has more
		55	access permissions than its parent. Every time an entry is written to
		56	a cgroup's devices.deny file, all its children will have that entry removed
		57	from their whitelist and all the locally set whitelist entries will be
		58	re-evaluated. In case one of the locally set whitelist entries would provide
		59	more access than the cgroup's parent, it'll be removed from the whitelist.
		60
		61	Example:
		62	A
		63	/ \
		64	B
		65
		66	group behavior exceptions
		67	A allow "b 8:* rwm", "c 116:1 rw"
		68	B deny "c 1:3 rwm", "c 116:2 rwm", "b 3:* rwm"
		69
		70	If a device is denied in group A:
		71	# echo "c 116:* r" > A/devices.deny
		72	it'll propagate down and after revalidating B's entries, the whitelist entry
		73	"c 116:2 rwm" will be removed:
		74
		75	group whitelist entries denied devices
		76	A all "b 8:* rwm", "c 116:* rw"
		77	B "c 1:3 rwm", "b 3:* rwm" all the rest
		78
		79	In case parent's exceptions change and local exceptions are not allowed
		80	anymore, they'll be deleted.
		81
		82	Notice that new whitelist entries will not be propagated:
		83	A
		84	/ \
		85	B
		86
		87	group whitelist entries denied devices
		88	A "c 1:3 rwm", "c 1:5 r" all the rest
		89	B "c 1:3 rwm", "c 1:5 r" all the rest
		90
		91	when adding "c *:3 rwm":
		92	# echo "c *:3 rwm" >A/devices.allow
		93
		94	the result:
		95	group whitelist entries denied devices
		96	A "c *:3 rwm", "c 1:5 r" all the rest
		97	B "c 1:3 rwm", "c 1:5 r" all the rest
		98
		99	but now it'll be possible to add new entries to B:
		100	# echo "c 2:3 rwm" >B/devices.allow
		101	# echo "c 50:3 r" >B/devices.allow
		102	or even
		103	# echo "c *:3 rwm" >B/devices.allow
		104
		105	Allowing or denying all by writing 'a' to devices.allow or devices.deny will
		106	not be possible once the device cgroups has children.
		107
		108	4.1 Hierarchy (internal implementation)
		109
		110	device cgroups is implemented internally using a behavior (ALLOW, DENY) and a
		111	list of exceptions. The internal state is controlled using the same user
		112	interface to preserve compatibility with the previous whitelist-only
		113	implementation. Removal or addition of exceptions that will reduce the access
		114	to devices will be propagated down the hierarchy.
		115	For every propagated exception, the effective rules will be re-evaluated based
		116	on current parent's access rules.