tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

devcgroup: fix odd behaviour when writing 'a' to devices.allow

# cat /devcg/devices.list
a *:* rwm
# echo a > devices.allow
# cat /devcg/devices.list
a *:* rwm
a 0:0 rwm

This is odd and maybe confusing. With this patch, writing 'a' to
devices.allow will add 'a *:* rwm' to the whitelist.

Also a few fixes and updates to the document.

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Cc: Pavel Emelyanov <xemul@openvz.org>
Cc: Serge E. Hallyn <serue@us.ibm.com>
Cc: Paul Menage <menage@google.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Cc: James Morris <jmorris@namei.org>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Li Zefan and committed by
Linus Torvalds d823f6bf 26ff8c69

+8 -2
+6 -2
Documentation/controllers/devices.txt
··· 13 13 The root device cgroup starts with rwm to 'all'. A child device 14 14 cgroup gets a copy of the parent. Administrators can then remove 15 15 devices from the whitelist or add new entries. A child cgroup can 16 - never receive a device access which is denied its parent. However 16 + never receive a device access which is denied by its parent. However 17 17 when a device access is removed from a parent it will not also be 18 18 removed from the child(ren). 19 19 ··· 29 29 30 30 echo a > /cgroups/1/devices.deny 31 31 32 - will remove the default 'a *:* mrw' entry. 32 + will remove the default 'a *:* rwm' entry. Doing 33 + 34 + echo a > /cgroups/1/devices.allow 35 + 36 + will add the 'a *:* rwm' entry to the whitelist. 33 37 34 38 3. Security 35 39
+2
security/device_cgroup.c
··· 382 382 case 'a': 383 383 wh.type = DEV_ALL; 384 384 wh.access = ACC_MASK; 385 + wh.major = ~0; 386 + wh.minor = ~0; 385 387 goto handle; 386 388 case 'b': 387 389 wh.type = DEV_BLOCK;