Commit | Line | Data |
---|---|---|
08ce5f16 SH |
1 | Device Whitelist Controller |
2 | ||
3 | 1. Description: | |
4 | ||
5 | Implement a cgroup to track and enforce open and mknod restrictions | |
6 | on device files. A device cgroup associates a device access | |
7 | whitelist with each cgroup. A whitelist entry has 4 fields. | |
8 | 'type' is a (all), c (char), or b (block). 'all' means it applies | |
9 | to all types and all major and minor numbers. Major and minor are | |
10 | either an integer or * for all. Access is a composition of r | |
11 | (read), w (write), and m (mknod). | |
12 | ||
13 | The root device cgroup starts with rwm to 'all'. A child device | |
14 | cgroup gets a copy of the parent. Administrators can then remove | |
15 | devices from the whitelist or add new entries. A child cgroup can | |
d823f6bf | 16 | never receive a device access which is denied by its parent. However |
08ce5f16 SH |
17 | when a device access is removed from a parent it will not also be |
18 | removed from the child(ren). | |
19 | ||
20 | 2. User Interface | |
21 | ||
22 | An entry is added using devices.allow, and removed using | |
23 | devices.deny. For instance | |
24 | ||
25 | echo 'c 1:3 mr' > /cgroups/1/devices.allow | |
26 | ||
27 | allows cgroup 1 to read and mknod the device usually known as | |
28 | /dev/null. Doing | |
29 | ||
30 | echo a > /cgroups/1/devices.deny | |
31 | ||
d823f6bf LZ |
32 | will remove the default 'a *:* rwm' entry. Doing |
33 | ||
34 | echo a > /cgroups/1/devices.allow | |
35 | ||
36 | will add the 'a *:* rwm' entry to the whitelist. | |
08ce5f16 SH |
37 | |
38 | 3. Security | |
39 | ||
40 | Any task can move itself between cgroups. This clearly won't | |
41 | suffice, but we can decide the best way to adequately restrict | |
42 | movement as people get some experience with this. We may just want | |
43 | to require CAP_SYS_ADMIN, which at least is a separate bit from | |
44 | CAP_MKNOD. We may want to just refuse moving to a cgroup which | |
45 | isn't a descendent of the current one. Or we may want to use | |
46 | CAP_MAC_ADMIN, since we really are trying to lock down root. | |
47 | ||
48 | CAP_SYS_ADMIN is needed to modify the whitelist or move another | |
49 | task to a new cgroup. (Again we'll probably want to change that). | |
50 | ||
51 | A cgroup may not be granted more permissions than the cgroup's | |
52 | parent has. |