device_cgroup.c 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869
  1. /*
  2. * device_cgroup.c - device cgroup subsystem
  3. *
  4. * Copyright 2007 IBM Corp
  5. */
  6. #include <linux/device_cgroup.h>
  7. #include <linux/cgroup.h>
  8. #include <linux/ctype.h>
  9. #include <linux/list.h>
  10. #include <linux/uaccess.h>
  11. #include <linux/seq_file.h>
  12. #include <linux/slab.h>
  13. #include <linux/rcupdate.h>
  14. #include <linux/mutex.h>
  15. #define ACC_MKNOD 1
  16. #define ACC_READ 2
  17. #define ACC_WRITE 4
  18. #define ACC_MASK (ACC_MKNOD | ACC_READ | ACC_WRITE)
  19. #define DEV_BLOCK 1
  20. #define DEV_CHAR 2
  21. #define DEV_ALL 4 /* this represents all devices */
  22. static DEFINE_MUTEX(devcgroup_mutex);
  23. enum devcg_behavior {
  24. DEVCG_DEFAULT_NONE,
  25. DEVCG_DEFAULT_ALLOW,
  26. DEVCG_DEFAULT_DENY,
  27. };
  28. /*
  29. * exception list locking rules:
  30. * hold devcgroup_mutex for update/read.
  31. * hold rcu_read_lock() for read.
  32. */
  33. struct dev_exception_item {
  34. u32 major, minor;
  35. short type;
  36. short access;
  37. struct list_head list;
  38. struct rcu_head rcu;
  39. };
  40. struct dev_cgroup {
  41. struct cgroup_subsys_state css;
  42. struct list_head exceptions;
  43. enum devcg_behavior behavior;
  44. };
  45. static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
  46. {
  47. return s ? container_of(s, struct dev_cgroup, css) : NULL;
  48. }
  49. static inline struct dev_cgroup *task_devcgroup(struct task_struct *task)
  50. {
  51. return css_to_devcgroup(task_css(task, devices_cgrp_id));
  52. }
  53. /*
  54. * called under devcgroup_mutex
  55. */
  56. static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig)
  57. {
  58. struct dev_exception_item *ex, *tmp, *new;
  59. lockdep_assert_held(&devcgroup_mutex);
  60. list_for_each_entry(ex, orig, list) {
  61. new = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
  62. if (!new)
  63. goto free_and_exit;
  64. list_add_tail(&new->list, dest);
  65. }
  66. return 0;
  67. free_and_exit:
  68. list_for_each_entry_safe(ex, tmp, dest, list) {
  69. list_del(&ex->list);
  70. kfree(ex);
  71. }
  72. return -ENOMEM;
  73. }
  74. /*
  75. * called under devcgroup_mutex
  76. */
  77. static int dev_exception_add(struct dev_cgroup *dev_cgroup,
  78. struct dev_exception_item *ex)
  79. {
  80. struct dev_exception_item *excopy, *walk;
  81. lockdep_assert_held(&devcgroup_mutex);
  82. excopy = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
  83. if (!excopy)
  84. return -ENOMEM;
  85. list_for_each_entry(walk, &dev_cgroup->exceptions, list) {
  86. if (walk->type != ex->type)
  87. continue;
  88. if (walk->major != ex->major)
  89. continue;
  90. if (walk->minor != ex->minor)
  91. continue;
  92. walk->access |= ex->access;
  93. kfree(excopy);
  94. excopy = NULL;
  95. }
  96. if (excopy != NULL)
  97. list_add_tail_rcu(&excopy->list, &dev_cgroup->exceptions);
  98. return 0;
  99. }
  100. /*
  101. * called under devcgroup_mutex
  102. */
  103. static void dev_exception_rm(struct dev_cgroup *dev_cgroup,
  104. struct dev_exception_item *ex)
  105. {
  106. struct dev_exception_item *walk, *tmp;
  107. lockdep_assert_held(&devcgroup_mutex);
  108. list_for_each_entry_safe(walk, tmp, &dev_cgroup->exceptions, list) {
  109. if (walk->type != ex->type)
  110. continue;
  111. if (walk->major != ex->major)
  112. continue;
  113. if (walk->minor != ex->minor)
  114. continue;
  115. walk->access &= ~ex->access;
  116. if (!walk->access) {
  117. list_del_rcu(&walk->list);
  118. kfree_rcu(walk, rcu);
  119. }
  120. }
  121. }
  122. static void __dev_exception_clean(struct dev_cgroup *dev_cgroup)
  123. {
  124. struct dev_exception_item *ex, *tmp;
  125. list_for_each_entry_safe(ex, tmp, &dev_cgroup->exceptions, list) {
  126. list_del_rcu(&ex->list);
  127. kfree_rcu(ex, rcu);
  128. }
  129. }
  130. /**
  131. * dev_exception_clean - frees all entries of the exception list
  132. * @dev_cgroup: dev_cgroup with the exception list to be cleaned
  133. *
  134. * called under devcgroup_mutex
  135. */
  136. static void dev_exception_clean(struct dev_cgroup *dev_cgroup)
  137. {
  138. lockdep_assert_held(&devcgroup_mutex);
  139. __dev_exception_clean(dev_cgroup);
  140. }
  141. static inline bool is_devcg_online(const struct dev_cgroup *devcg)
  142. {
  143. return (devcg->behavior != DEVCG_DEFAULT_NONE);
  144. }
  145. /**
  146. * devcgroup_online - initializes devcgroup's behavior and exceptions based on
  147. * parent's
  148. * @css: css getting online
  149. * returns 0 in case of success, error code otherwise
  150. */
  151. static int devcgroup_online(struct cgroup_subsys_state *css)
  152. {
  153. struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
  154. struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css->parent);
  155. int ret = 0;
  156. mutex_lock(&devcgroup_mutex);
  157. if (parent_dev_cgroup == NULL)
  158. dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
  159. else {
  160. ret = dev_exceptions_copy(&dev_cgroup->exceptions,
  161. &parent_dev_cgroup->exceptions);
  162. if (!ret)
  163. dev_cgroup->behavior = parent_dev_cgroup->behavior;
  164. }
  165. mutex_unlock(&devcgroup_mutex);
  166. return ret;
  167. }
  168. static void devcgroup_offline(struct cgroup_subsys_state *css)
  169. {
  170. struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
  171. mutex_lock(&devcgroup_mutex);
  172. dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
  173. mutex_unlock(&devcgroup_mutex);
  174. }
  175. /*
  176. * called from kernel/cgroup.c with cgroup_lock() held.
  177. */
  178. static struct cgroup_subsys_state *
  179. devcgroup_css_alloc(struct cgroup_subsys_state *parent_css)
  180. {
  181. struct dev_cgroup *dev_cgroup;
  182. dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL);
  183. if (!dev_cgroup)
  184. return ERR_PTR(-ENOMEM);
  185. INIT_LIST_HEAD(&dev_cgroup->exceptions);
  186. dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
  187. return &dev_cgroup->css;
  188. }
  189. static void devcgroup_css_free(struct cgroup_subsys_state *css)
  190. {
  191. struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
  192. __dev_exception_clean(dev_cgroup);
  193. kfree(dev_cgroup);
  194. }
  195. #define DEVCG_ALLOW 1
  196. #define DEVCG_DENY 2
  197. #define DEVCG_LIST 3
  198. #define MAJMINLEN 13
  199. #define ACCLEN 4
  200. static void set_access(char *acc, short access)
  201. {
  202. int idx = 0;
  203. memset(acc, 0, ACCLEN);
  204. if (access & ACC_READ)
  205. acc[idx++] = 'r';
  206. if (access & ACC_WRITE)
  207. acc[idx++] = 'w';
  208. if (access & ACC_MKNOD)
  209. acc[idx++] = 'm';
  210. }
  211. static char type_to_char(short type)
  212. {
  213. if (type == DEV_ALL)
  214. return 'a';
  215. if (type == DEV_CHAR)
  216. return 'c';
  217. if (type == DEV_BLOCK)
  218. return 'b';
  219. return 'X';
  220. }
  221. static void set_majmin(char *str, unsigned m)
  222. {
  223. if (m == ~0)
  224. strcpy(str, "*");
  225. else
  226. sprintf(str, "%u", m);
  227. }
  228. static int devcgroup_seq_show(struct seq_file *m, void *v)
  229. {
  230. struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m));
  231. struct dev_exception_item *ex;
  232. char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
  233. rcu_read_lock();
  234. /*
  235. * To preserve the compatibility:
  236. * - Only show the "all devices" when the default policy is to allow
  237. * - List the exceptions in case the default policy is to deny
  238. * This way, the file remains as a "whitelist of devices"
  239. */
  240. if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
  241. set_access(acc, ACC_MASK);
  242. set_majmin(maj, ~0);
  243. set_majmin(min, ~0);
  244. seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
  245. maj, min, acc);
  246. } else {
  247. list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
  248. set_access(acc, ex->access);
  249. set_majmin(maj, ex->major);
  250. set_majmin(min, ex->minor);
  251. seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
  252. maj, min, acc);
  253. }
  254. }
  255. rcu_read_unlock();
  256. return 0;
  257. }
  258. /**
  259. * match_exception - iterates the exception list trying to find a complete match
  260. * @exceptions: list of exceptions
  261. * @type: device type (DEV_BLOCK or DEV_CHAR)
  262. * @major: device file major number, ~0 to match all
  263. * @minor: device file minor number, ~0 to match all
  264. * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
  265. *
  266. * It is considered a complete match if an exception is found that will
  267. * contain the entire range of provided parameters.
  268. *
  269. * Return: true in case it matches an exception completely
  270. */
  271. static bool match_exception(struct list_head *exceptions, short type,
  272. u32 major, u32 minor, short access)
  273. {
  274. struct dev_exception_item *ex;
  275. list_for_each_entry_rcu(ex, exceptions, list) {
  276. if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
  277. continue;
  278. if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
  279. continue;
  280. if (ex->major != ~0 && ex->major != major)
  281. continue;
  282. if (ex->minor != ~0 && ex->minor != minor)
  283. continue;
  284. /* provided access cannot have more than the exception rule */
  285. if (access & (~ex->access))
  286. continue;
  287. return true;
  288. }
  289. return false;
  290. }
  291. /**
  292. * match_exception_partial - iterates the exception list trying to find a partial match
  293. * @exceptions: list of exceptions
  294. * @type: device type (DEV_BLOCK or DEV_CHAR)
  295. * @major: device file major number, ~0 to match all
  296. * @minor: device file minor number, ~0 to match all
  297. * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
  298. *
  299. * It is considered a partial match if an exception's range is found to
  300. * contain *any* of the devices specified by provided parameters. This is
  301. * used to make sure no extra access is being granted that is forbidden by
  302. * any of the exception list.
  303. *
  304. * Return: true in case the provided range mat matches an exception completely
  305. */
  306. static bool match_exception_partial(struct list_head *exceptions, short type,
  307. u32 major, u32 minor, short access)
  308. {
  309. struct dev_exception_item *ex;
  310. list_for_each_entry_rcu(ex, exceptions, list) {
  311. if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
  312. continue;
  313. if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
  314. continue;
  315. /*
  316. * We must be sure that both the exception and the provided
  317. * range aren't masking all devices
  318. */
  319. if (ex->major != ~0 && major != ~0 && ex->major != major)
  320. continue;
  321. if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
  322. continue;
  323. /*
  324. * In order to make sure the provided range isn't matching
  325. * an exception, all its access bits shouldn't match the
  326. * exception's access bits
  327. */
  328. if (!(access & ex->access))
  329. continue;
  330. return true;
  331. }
  332. return false;
  333. }
  334. /**
  335. * verify_new_ex - verifies if a new exception is allowed by parent cgroup's permissions
  336. * @dev_cgroup: dev cgroup to be tested against
  337. * @refex: new exception
  338. * @behavior: behavior of the exception's dev_cgroup
  339. *
  340. * This is used to make sure a child cgroup won't have more privileges
  341. * than its parent
  342. */
  343. static bool verify_new_ex(struct dev_cgroup *dev_cgroup,
  344. struct dev_exception_item *refex,
  345. enum devcg_behavior behavior)
  346. {
  347. bool match = false;
  348. RCU_LOCKDEP_WARN(!rcu_read_lock_held() &&
  349. !lockdep_is_held(&devcgroup_mutex),
  350. "device_cgroup:verify_new_ex called without proper synchronization");
  351. if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW) {
  352. if (behavior == DEVCG_DEFAULT_ALLOW) {
  353. /*
  354. * new exception in the child doesn't matter, only
  355. * adding extra restrictions
  356. */
  357. return true;
  358. } else {
  359. /*
  360. * new exception in the child will add more devices
  361. * that can be acessed, so it can't match any of
  362. * parent's exceptions, even slightly
  363. */
  364. match = match_exception_partial(&dev_cgroup->exceptions,
  365. refex->type,
  366. refex->major,
  367. refex->minor,
  368. refex->access);
  369. if (match)
  370. return false;
  371. return true;
  372. }
  373. } else {
  374. /*
  375. * Only behavior == DEVCG_DEFAULT_DENY allowed here, therefore
  376. * the new exception will add access to more devices and must
  377. * be contained completely in an parent's exception to be
  378. * allowed
  379. */
  380. match = match_exception(&dev_cgroup->exceptions, refex->type,
  381. refex->major, refex->minor,
  382. refex->access);
  383. if (match)
  384. /* parent has an exception that matches the proposed */
  385. return true;
  386. else
  387. return false;
  388. }
  389. return false;
  390. }
  391. /*
  392. * parent_has_perm:
  393. * when adding a new allow rule to a device exception list, the rule
  394. * must be allowed in the parent device
  395. */
  396. static int parent_has_perm(struct dev_cgroup *childcg,
  397. struct dev_exception_item *ex)
  398. {
  399. struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent);
  400. if (!parent)
  401. return 1;
  402. return verify_new_ex(parent, ex, childcg->behavior);
  403. }
  404. /**
  405. * parent_allows_removal - verify if it's ok to remove an exception
  406. * @childcg: child cgroup from where the exception will be removed
  407. * @ex: exception being removed
  408. *
  409. * When removing an exception in cgroups with default ALLOW policy, it must
  410. * be checked if removing it will give the child cgroup more access than the
  411. * parent.
  412. *
  413. * Return: true if it's ok to remove exception, false otherwise
  414. */
  415. static bool parent_allows_removal(struct dev_cgroup *childcg,
  416. struct dev_exception_item *ex)
  417. {
  418. struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent);
  419. if (!parent)
  420. return true;
  421. /* It's always allowed to remove access to devices */
  422. if (childcg->behavior == DEVCG_DEFAULT_DENY)
  423. return true;
  424. /*
  425. * Make sure you're not removing part or a whole exception existing in
  426. * the parent cgroup
  427. */
  428. return !match_exception_partial(&parent->exceptions, ex->type,
  429. ex->major, ex->minor, ex->access);
  430. }
  431. /**
  432. * may_allow_all - checks if it's possible to change the behavior to
  433. * allow based on parent's rules.
  434. * @parent: device cgroup's parent
  435. * returns: != 0 in case it's allowed, 0 otherwise
  436. */
  437. static inline int may_allow_all(struct dev_cgroup *parent)
  438. {
  439. if (!parent)
  440. return 1;
  441. return parent->behavior == DEVCG_DEFAULT_ALLOW;
  442. }
  443. /**
  444. * revalidate_active_exceptions - walks through the active exception list and
  445. * revalidates the exceptions based on parent's
  446. * behavior and exceptions. The exceptions that
  447. * are no longer valid will be removed.
  448. * Called with devcgroup_mutex held.
  449. * @devcg: cgroup which exceptions will be checked
  450. *
  451. * This is one of the three key functions for hierarchy implementation.
  452. * This function is responsible for re-evaluating all the cgroup's active
  453. * exceptions due to a parent's exception change.
  454. * Refer to Documentation/cgroups/devices.txt for more details.
  455. */
  456. static void revalidate_active_exceptions(struct dev_cgroup *devcg)
  457. {
  458. struct dev_exception_item *ex;
  459. struct list_head *this, *tmp;
  460. list_for_each_safe(this, tmp, &devcg->exceptions) {
  461. ex = container_of(this, struct dev_exception_item, list);
  462. if (!parent_has_perm(devcg, ex))
  463. dev_exception_rm(devcg, ex);
  464. }
  465. }
  466. /**
  467. * propagate_exception - propagates a new exception to the children
  468. * @devcg_root: device cgroup that added a new exception
  469. * @ex: new exception to be propagated
  470. *
  471. * returns: 0 in case of success, != 0 in case of error
  472. */
  473. static int propagate_exception(struct dev_cgroup *devcg_root,
  474. struct dev_exception_item *ex)
  475. {
  476. struct cgroup_subsys_state *pos;
  477. int rc = 0;
  478. rcu_read_lock();
  479. css_for_each_descendant_pre(pos, &devcg_root->css) {
  480. struct dev_cgroup *devcg = css_to_devcgroup(pos);
  481. /*
  482. * Because devcgroup_mutex is held, no devcg will become
  483. * online or offline during the tree walk (see on/offline
  484. * methods), and online ones are safe to access outside RCU
  485. * read lock without bumping refcnt.
  486. */
  487. if (pos == &devcg_root->css || !is_devcg_online(devcg))
  488. continue;
  489. rcu_read_unlock();
  490. /*
  491. * in case both root's behavior and devcg is allow, a new
  492. * restriction means adding to the exception list
  493. */
  494. if (devcg_root->behavior == DEVCG_DEFAULT_ALLOW &&
  495. devcg->behavior == DEVCG_DEFAULT_ALLOW) {
  496. rc = dev_exception_add(devcg, ex);
  497. if (rc)
  498. break;
  499. } else {
  500. /*
  501. * in the other possible cases:
  502. * root's behavior: allow, devcg's: deny
  503. * root's behavior: deny, devcg's: deny
  504. * the exception will be removed
  505. */
  506. dev_exception_rm(devcg, ex);
  507. }
  508. revalidate_active_exceptions(devcg);
  509. rcu_read_lock();
  510. }
  511. rcu_read_unlock();
  512. return rc;
  513. }
  514. /*
  515. * Modify the exception list using allow/deny rules.
  516. * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD
  517. * so we can give a container CAP_MKNOD to let it create devices but not
  518. * modify the exception list.
  519. * It seems likely we'll want to add a CAP_CONTAINER capability to allow
  520. * us to also grant CAP_SYS_ADMIN to containers without giving away the
  521. * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN
  522. *
  523. * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting
  524. * new access is only allowed if you're in the top-level cgroup, or your
  525. * parent cgroup has the access you're asking for.
  526. */
  527. static int devcgroup_update_access(struct dev_cgroup *devcgroup,
  528. int filetype, char *buffer)
  529. {
  530. const char *b;
  531. char temp[12]; /* 11 + 1 characters needed for a u32 */
  532. int count, rc = 0;
  533. struct dev_exception_item ex;
  534. struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent);
  535. if (!capable(CAP_SYS_ADMIN))
  536. return -EPERM;
  537. memset(&ex, 0, sizeof(ex));
  538. b = buffer;
  539. switch (*b) {
  540. case 'a':
  541. switch (filetype) {
  542. case DEVCG_ALLOW:
  543. if (css_has_online_children(&devcgroup->css))
  544. return -EINVAL;
  545. if (!may_allow_all(parent))
  546. return -EPERM;
  547. dev_exception_clean(devcgroup);
  548. devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
  549. if (!parent)
  550. break;
  551. rc = dev_exceptions_copy(&devcgroup->exceptions,
  552. &parent->exceptions);
  553. if (rc)
  554. return rc;
  555. break;
  556. case DEVCG_DENY:
  557. if (css_has_online_children(&devcgroup->css))
  558. return -EINVAL;
  559. dev_exception_clean(devcgroup);
  560. devcgroup->behavior = DEVCG_DEFAULT_DENY;
  561. break;
  562. default:
  563. return -EINVAL;
  564. }
  565. return 0;
  566. case 'b':
  567. ex.type = DEV_BLOCK;
  568. break;
  569. case 'c':
  570. ex.type = DEV_CHAR;
  571. break;
  572. default:
  573. return -EINVAL;
  574. }
  575. b++;
  576. if (!isspace(*b))
  577. return -EINVAL;
  578. b++;
  579. if (*b == '*') {
  580. ex.major = ~0;
  581. b++;
  582. } else if (isdigit(*b)) {
  583. memset(temp, 0, sizeof(temp));
  584. for (count = 0; count < sizeof(temp) - 1; count++) {
  585. temp[count] = *b;
  586. b++;
  587. if (!isdigit(*b))
  588. break;
  589. }
  590. rc = kstrtou32(temp, 10, &ex.major);
  591. if (rc)
  592. return -EINVAL;
  593. } else {
  594. return -EINVAL;
  595. }
  596. if (*b != ':')
  597. return -EINVAL;
  598. b++;
  599. /* read minor */
  600. if (*b == '*') {
  601. ex.minor = ~0;
  602. b++;
  603. } else if (isdigit(*b)) {
  604. memset(temp, 0, sizeof(temp));
  605. for (count = 0; count < sizeof(temp) - 1; count++) {
  606. temp[count] = *b;
  607. b++;
  608. if (!isdigit(*b))
  609. break;
  610. }
  611. rc = kstrtou32(temp, 10, &ex.minor);
  612. if (rc)
  613. return -EINVAL;
  614. } else {
  615. return -EINVAL;
  616. }
  617. if (!isspace(*b))
  618. return -EINVAL;
  619. for (b++, count = 0; count < 3; count++, b++) {
  620. switch (*b) {
  621. case 'r':
  622. ex.access |= ACC_READ;
  623. break;
  624. case 'w':
  625. ex.access |= ACC_WRITE;
  626. break;
  627. case 'm':
  628. ex.access |= ACC_MKNOD;
  629. break;
  630. case '\n':
  631. case '\0':
  632. count = 3;
  633. break;
  634. default:
  635. return -EINVAL;
  636. }
  637. }
  638. switch (filetype) {
  639. case DEVCG_ALLOW:
  640. /*
  641. * If the default policy is to allow by default, try to remove
  642. * an matching exception instead. And be silent about it: we
  643. * don't want to break compatibility
  644. */
  645. if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
  646. /* Check if the parent allows removing it first */
  647. if (!parent_allows_removal(devcgroup, &ex))
  648. return -EPERM;
  649. dev_exception_rm(devcgroup, &ex);
  650. break;
  651. }
  652. if (!parent_has_perm(devcgroup, &ex))
  653. return -EPERM;
  654. rc = dev_exception_add(devcgroup, &ex);
  655. break;
  656. case DEVCG_DENY:
  657. /*
  658. * If the default policy is to deny by default, try to remove
  659. * an matching exception instead. And be silent about it: we
  660. * don't want to break compatibility
  661. */
  662. if (devcgroup->behavior == DEVCG_DEFAULT_DENY)
  663. dev_exception_rm(devcgroup, &ex);
  664. else
  665. rc = dev_exception_add(devcgroup, &ex);
  666. if (rc)
  667. break;
  668. /* we only propagate new restrictions */
  669. rc = propagate_exception(devcgroup, &ex);
  670. break;
  671. default:
  672. rc = -EINVAL;
  673. }
  674. return rc;
  675. }
  676. static ssize_t devcgroup_access_write(struct kernfs_open_file *of,
  677. char *buf, size_t nbytes, loff_t off)
  678. {
  679. int retval;
  680. mutex_lock(&devcgroup_mutex);
  681. retval = devcgroup_update_access(css_to_devcgroup(of_css(of)),
  682. of_cft(of)->private, strstrip(buf));
  683. mutex_unlock(&devcgroup_mutex);
  684. return retval ?: nbytes;
  685. }
  686. static struct cftype dev_cgroup_files[] = {
  687. {
  688. .name = "allow",
  689. .write = devcgroup_access_write,
  690. .private = DEVCG_ALLOW,
  691. },
  692. {
  693. .name = "deny",
  694. .write = devcgroup_access_write,
  695. .private = DEVCG_DENY,
  696. },
  697. {
  698. .name = "list",
  699. .seq_show = devcgroup_seq_show,
  700. .private = DEVCG_LIST,
  701. },
  702. { } /* terminate */
  703. };
  704. struct cgroup_subsys devices_cgrp_subsys = {
  705. .css_alloc = devcgroup_css_alloc,
  706. .css_free = devcgroup_css_free,
  707. .css_online = devcgroup_online,
  708. .css_offline = devcgroup_offline,
  709. .legacy_cftypes = dev_cgroup_files,
  710. };
  711. /**
  712. * __devcgroup_check_permission - checks if an inode operation is permitted
  713. * @dev_cgroup: the dev cgroup to be tested against
  714. * @type: device type
  715. * @major: device major number
  716. * @minor: device minor number
  717. * @access: combination of ACC_WRITE, ACC_READ and ACC_MKNOD
  718. *
  719. * returns 0 on success, -EPERM case the operation is not permitted
  720. */
  721. static int __devcgroup_check_permission(short type, u32 major, u32 minor,
  722. short access)
  723. {
  724. struct dev_cgroup *dev_cgroup;
  725. bool rc;
  726. rcu_read_lock();
  727. dev_cgroup = task_devcgroup(current);
  728. if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW)
  729. /* Can't match any of the exceptions, even partially */
  730. rc = !match_exception_partial(&dev_cgroup->exceptions,
  731. type, major, minor, access);
  732. else
  733. /* Need to match completely one exception to be allowed */
  734. rc = match_exception(&dev_cgroup->exceptions, type, major,
  735. minor, access);
  736. rcu_read_unlock();
  737. if (!rc)
  738. return -EPERM;
  739. return 0;
  740. }
  741. int __devcgroup_inode_permission(struct inode *inode, int mask)
  742. {
  743. short type, access = 0;
  744. if (S_ISBLK(inode->i_mode))
  745. type = DEV_BLOCK;
  746. if (S_ISCHR(inode->i_mode))
  747. type = DEV_CHAR;
  748. if (mask & MAY_WRITE)
  749. access |= ACC_WRITE;
  750. if (mask & MAY_READ)
  751. access |= ACC_READ;
  752. return __devcgroup_check_permission(type, imajor(inode), iminor(inode),
  753. access);
  754. }
  755. int devcgroup_inode_mknod(int mode, dev_t dev)
  756. {
  757. short type;
  758. if (!S_ISBLK(mode) && !S_ISCHR(mode))
  759. return 0;
  760. if (S_ISBLK(mode))
  761. type = DEV_BLOCK;
  762. else
  763. type = DEV_CHAR;
  764. return __devcgroup_check_permission(type, MAJOR(dev), MINOR(dev),
  765. ACC_MKNOD);
  766. }