diff options
Diffstat (limited to 'Documentation/controllers')
-rw-r--r-- | Documentation/controllers/devices.txt | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/Documentation/controllers/devices.txt b/Documentation/controllers/devices.txt new file mode 100644 index 000000000000..4dcea42432c2 --- /dev/null +++ b/Documentation/controllers/devices.txt | |||
@@ -0,0 +1,48 @@ | |||
1 | Device Whitelist Controller | ||
2 | |||
3 | 1. Description: | ||
4 | |||
5 | Implement a cgroup to track and enforce open and mknod restrictions | ||
6 | on device files. A device cgroup associates a device access | ||
7 | whitelist with each cgroup. A whitelist entry has 4 fields. | ||
8 | 'type' is a (all), c (char), or b (block). 'all' means it applies | ||
9 | to all types and all major and minor numbers. Major and minor are | ||
10 | either an integer or * for all. Access is a composition of r | ||
11 | (read), w (write), and m (mknod). | ||
12 | |||
13 | The root device cgroup starts with rwm to 'all'. A child device | ||
14 | cgroup gets a copy of the parent. Administrators can then remove | ||
15 | devices from the whitelist or add new entries. A child cgroup can | ||
16 | never receive a device access which is denied its parent. However | ||
17 | when a device access is removed from a parent it will not also be | ||
18 | removed from the child(ren). | ||
19 | |||
20 | 2. User Interface | ||
21 | |||
22 | An entry is added using devices.allow, and removed using | ||
23 | devices.deny. For instance | ||
24 | |||
25 | echo 'c 1:3 mr' > /cgroups/1/devices.allow | ||
26 | |||
27 | allows cgroup 1 to read and mknod the device usually known as | ||
28 | /dev/null. Doing | ||
29 | |||
30 | echo a > /cgroups/1/devices.deny | ||
31 | |||
32 | will remove the default 'a *:* mrw' entry. | ||
33 | |||
34 | 3. Security | ||
35 | |||
36 | Any task can move itself between cgroups. This clearly won't | ||
37 | suffice, but we can decide the best way to adequately restrict | ||
38 | movement as people get some experience with this. We may just want | ||
39 | to require CAP_SYS_ADMIN, which at least is a separate bit from | ||
40 | CAP_MKNOD. We may want to just refuse moving to a cgroup which | ||
41 | isn't a descendent of the current one. Or we may want to use | ||
42 | CAP_MAC_ADMIN, since we really are trying to lock down root. | ||
43 | |||
44 | CAP_SYS_ADMIN is needed to modify the whitelist or move another | ||
45 | task to a new cgroup. (Again we'll probably want to change that). | ||
46 | |||
47 | A cgroup may not be granted more permissions than the cgroup's | ||
48 | parent has. | ||