Serge E. Hallyn | 08ce5f1 | 2008-04-29 01:00:10 -0700 | [diff] [blame] | 1 | Device Whitelist Controller |
| 2 | |
| 3 | 1. Description: |
| 4 | |
| 5 | Implement a cgroup to track and enforce open and mknod restrictions |
| 6 | on device files. A device cgroup associates a device access |
| 7 | whitelist with each cgroup. A whitelist entry has 4 fields. |
| 8 | 'type' is a (all), c (char), or b (block). 'all' means it applies |
| 9 | to all types and all major and minor numbers. Major and minor are |
| 10 | either an integer or * for all. Access is a composition of r |
| 11 | (read), w (write), and m (mknod). |
| 12 | |
| 13 | The root device cgroup starts with rwm to 'all'. A child device |
| 14 | cgroup gets a copy of the parent. Administrators can then remove |
| 15 | devices from the whitelist or add new entries. A child cgroup can |
Li Zefan | d823f6b | 2008-07-04 10:00:07 -0700 | [diff] [blame] | 16 | never receive a device access which is denied by its parent. However |
Serge E. Hallyn | 08ce5f1 | 2008-04-29 01:00:10 -0700 | [diff] [blame] | 17 | when a device access is removed from a parent it will not also be |
| 18 | removed from the child(ren). |
| 19 | |
| 20 | 2. User Interface |
| 21 | |
| 22 | An entry is added using devices.allow, and removed using |
| 23 | devices.deny. For instance |
| 24 | |
| 25 | echo 'c 1:3 mr' > /cgroups/1/devices.allow |
| 26 | |
| 27 | allows cgroup 1 to read and mknod the device usually known as |
| 28 | /dev/null. Doing |
| 29 | |
| 30 | echo a > /cgroups/1/devices.deny |
| 31 | |
Li Zefan | d823f6b | 2008-07-04 10:00:07 -0700 | [diff] [blame] | 32 | will remove the default 'a *:* rwm' entry. Doing |
| 33 | |
| 34 | echo a > /cgroups/1/devices.allow |
| 35 | |
| 36 | will add the 'a *:* rwm' entry to the whitelist. |
Serge E. Hallyn | 08ce5f1 | 2008-04-29 01:00:10 -0700 | [diff] [blame] | 37 | |
| 38 | 3. Security |
| 39 | |
| 40 | Any task can move itself between cgroups. This clearly won't |
| 41 | suffice, but we can decide the best way to adequately restrict |
| 42 | movement as people get some experience with this. We may just want |
| 43 | to require CAP_SYS_ADMIN, which at least is a separate bit from |
| 44 | CAP_MKNOD. We may want to just refuse moving to a cgroup which |
Chris Samuel | caa790b | 2009-01-17 00:01:18 +1100 | [diff] [blame] | 45 | isn't a descendant of the current one. Or we may want to use |
Serge E. Hallyn | 08ce5f1 | 2008-04-29 01:00:10 -0700 | [diff] [blame] | 46 | CAP_MAC_ADMIN, since we really are trying to lock down root. |
| 47 | |
| 48 | CAP_SYS_ADMIN is needed to modify the whitelist or move another |
| 49 | task to a new cgroup. (Again we'll probably want to change that). |
| 50 | |
| 51 | A cgroup may not be granted more permissions than the cgroup's |
| 52 | parent has. |