device_cgroup.c 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * device_cgroup.c - device cgroup subsystem
  4. *
  5. * Copyright 2007 IBM Corp
  6. */
  7. #include <linux/bpf-cgroup.h>
  8. #include <linux/device_cgroup.h>
  9. #include <linux/cgroup.h>
  10. #include <linux/ctype.h>
  11. #include <linux/list.h>
  12. #include <linux/uaccess.h>
  13. #include <linux/seq_file.h>
  14. #include <linux/slab.h>
  15. #include <linux/rcupdate.h>
  16. #include <linux/mutex.h>
  17. #ifdef CONFIG_CGROUP_DEVICE
  18. static DEFINE_MUTEX(devcgroup_mutex);
  19. enum devcg_behavior {
  20. DEVCG_DEFAULT_NONE,
  21. DEVCG_DEFAULT_ALLOW,
  22. DEVCG_DEFAULT_DENY,
  23. };
  24. /*
  25. * exception list locking rules:
  26. * hold devcgroup_mutex for update/read.
  27. * hold rcu_read_lock() for read.
  28. */
  29. struct dev_exception_item {
  30. u32 major, minor;
  31. short type;
  32. short access;
  33. struct list_head list;
  34. struct rcu_head rcu;
  35. };
  36. struct dev_cgroup {
  37. struct cgroup_subsys_state css;
  38. struct list_head exceptions;
  39. enum devcg_behavior behavior;
  40. };
  41. static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
  42. {
  43. return s ? container_of(s, struct dev_cgroup, css) : NULL;
  44. }
  45. static inline struct dev_cgroup *task_devcgroup(struct task_struct *task)
  46. {
  47. return css_to_devcgroup(task_css(task, devices_cgrp_id));
  48. }
  49. /*
  50. * called under devcgroup_mutex
  51. */
  52. static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig)
  53. {
  54. struct dev_exception_item *ex, *tmp, *new;
  55. lockdep_assert_held(&devcgroup_mutex);
  56. list_for_each_entry(ex, orig, list) {
  57. new = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
  58. if (!new)
  59. goto free_and_exit;
  60. list_add_tail(&new->list, dest);
  61. }
  62. return 0;
  63. free_and_exit:
  64. list_for_each_entry_safe(ex, tmp, dest, list) {
  65. list_del(&ex->list);
  66. kfree(ex);
  67. }
  68. return -ENOMEM;
  69. }
  70. static void dev_exceptions_move(struct list_head *dest, struct list_head *orig)
  71. {
  72. struct dev_exception_item *ex, *tmp;
  73. lockdep_assert_held(&devcgroup_mutex);
  74. list_for_each_entry_safe(ex, tmp, orig, list) {
  75. list_move_tail(&ex->list, dest);
  76. }
  77. }
  78. /*
  79. * called under devcgroup_mutex
  80. */
  81. static int dev_exception_add(struct dev_cgroup *dev_cgroup,
  82. struct dev_exception_item *ex)
  83. {
  84. struct dev_exception_item *excopy, *walk;
  85. lockdep_assert_held(&devcgroup_mutex);
  86. excopy = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
  87. if (!excopy)
  88. return -ENOMEM;
  89. list_for_each_entry(walk, &dev_cgroup->exceptions, list) {
  90. if (walk->type != ex->type)
  91. continue;
  92. if (walk->major != ex->major)
  93. continue;
  94. if (walk->minor != ex->minor)
  95. continue;
  96. walk->access |= ex->access;
  97. kfree(excopy);
  98. excopy = NULL;
  99. }
  100. if (excopy != NULL)
  101. list_add_tail_rcu(&excopy->list, &dev_cgroup->exceptions);
  102. return 0;
  103. }
  104. /*
  105. * called under devcgroup_mutex
  106. */
  107. static void dev_exception_rm(struct dev_cgroup *dev_cgroup,
  108. struct dev_exception_item *ex)
  109. {
  110. struct dev_exception_item *walk, *tmp;
  111. lockdep_assert_held(&devcgroup_mutex);
  112. list_for_each_entry_safe(walk, tmp, &dev_cgroup->exceptions, list) {
  113. if (walk->type != ex->type)
  114. continue;
  115. if (walk->major != ex->major)
  116. continue;
  117. if (walk->minor != ex->minor)
  118. continue;
  119. walk->access &= ~ex->access;
  120. if (!walk->access) {
  121. list_del_rcu(&walk->list);
  122. kfree_rcu(walk, rcu);
  123. }
  124. }
  125. }
  126. static void __dev_exception_clean(struct dev_cgroup *dev_cgroup)
  127. {
  128. struct dev_exception_item *ex, *tmp;
  129. list_for_each_entry_safe(ex, tmp, &dev_cgroup->exceptions, list) {
  130. list_del_rcu(&ex->list);
  131. kfree_rcu(ex, rcu);
  132. }
  133. }
  134. /**
  135. * dev_exception_clean - frees all entries of the exception list
  136. * @dev_cgroup: dev_cgroup with the exception list to be cleaned
  137. *
  138. * called under devcgroup_mutex
  139. */
  140. static void dev_exception_clean(struct dev_cgroup *dev_cgroup)
  141. {
  142. lockdep_assert_held(&devcgroup_mutex);
  143. __dev_exception_clean(dev_cgroup);
  144. }
  145. static inline bool is_devcg_online(const struct dev_cgroup *devcg)
  146. {
  147. return (devcg->behavior != DEVCG_DEFAULT_NONE);
  148. }
  149. /**
  150. * devcgroup_online - initializes devcgroup's behavior and exceptions based on
  151. * parent's
  152. * @css: css getting online
  153. * returns 0 in case of success, error code otherwise
  154. */
  155. static int devcgroup_online(struct cgroup_subsys_state *css)
  156. {
  157. struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
  158. struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css->parent);
  159. int ret = 0;
  160. mutex_lock(&devcgroup_mutex);
  161. if (parent_dev_cgroup == NULL)
  162. dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
  163. else {
  164. ret = dev_exceptions_copy(&dev_cgroup->exceptions,
  165. &parent_dev_cgroup->exceptions);
  166. if (!ret)
  167. dev_cgroup->behavior = parent_dev_cgroup->behavior;
  168. }
  169. mutex_unlock(&devcgroup_mutex);
  170. return ret;
  171. }
  172. static void devcgroup_offline(struct cgroup_subsys_state *css)
  173. {
  174. struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
  175. mutex_lock(&devcgroup_mutex);
  176. dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
  177. mutex_unlock(&devcgroup_mutex);
  178. }
  179. /*
  180. * called from kernel/cgroup.c with cgroup_lock() held.
  181. */
  182. static struct cgroup_subsys_state *
  183. devcgroup_css_alloc(struct cgroup_subsys_state *parent_css)
  184. {
  185. struct dev_cgroup *dev_cgroup;
  186. dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL);
  187. if (!dev_cgroup)
  188. return ERR_PTR(-ENOMEM);
  189. INIT_LIST_HEAD(&dev_cgroup->exceptions);
  190. dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
  191. return &dev_cgroup->css;
  192. }
  193. static void devcgroup_css_free(struct cgroup_subsys_state *css)
  194. {
  195. struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
  196. __dev_exception_clean(dev_cgroup);
  197. kfree(dev_cgroup);
  198. }
  199. #define DEVCG_ALLOW 1
  200. #define DEVCG_DENY 2
  201. #define DEVCG_LIST 3
  202. #define MAJMINLEN 13
  203. #define ACCLEN 4
  204. static void set_access(char *acc, short access)
  205. {
  206. int idx = 0;
  207. memset(acc, 0, ACCLEN);
  208. if (access & DEVCG_ACC_READ)
  209. acc[idx++] = 'r';
  210. if (access & DEVCG_ACC_WRITE)
  211. acc[idx++] = 'w';
  212. if (access & DEVCG_ACC_MKNOD)
  213. acc[idx++] = 'm';
  214. }
  215. static char type_to_char(short type)
  216. {
  217. if (type == DEVCG_DEV_ALL)
  218. return 'a';
  219. if (type == DEVCG_DEV_CHAR)
  220. return 'c';
  221. if (type == DEVCG_DEV_BLOCK)
  222. return 'b';
  223. return 'X';
  224. }
  225. static void set_majmin(char *str, unsigned m)
  226. {
  227. if (m == ~0)
  228. strcpy(str, "*");
  229. else
  230. sprintf(str, "%u", m);
  231. }
  232. static int devcgroup_seq_show(struct seq_file *m, void *v)
  233. {
  234. struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m));
  235. struct dev_exception_item *ex;
  236. char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
  237. rcu_read_lock();
  238. /*
  239. * To preserve the compatibility:
  240. * - Only show the "all devices" when the default policy is to allow
  241. * - List the exceptions in case the default policy is to deny
  242. * This way, the file remains as a "whitelist of devices"
  243. */
  244. if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
  245. set_access(acc, DEVCG_ACC_MASK);
  246. set_majmin(maj, ~0);
  247. set_majmin(min, ~0);
  248. seq_printf(m, "%c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL),
  249. maj, min, acc);
  250. } else {
  251. list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
  252. set_access(acc, ex->access);
  253. set_majmin(maj, ex->major);
  254. set_majmin(min, ex->minor);
  255. seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
  256. maj, min, acc);
  257. }
  258. }
  259. rcu_read_unlock();
  260. return 0;
  261. }
  262. /**
  263. * match_exception - iterates the exception list trying to find a complete match
  264. * @exceptions: list of exceptions
  265. * @type: device type (DEVCG_DEV_BLOCK or DEVCG_DEV_CHAR)
  266. * @major: device file major number, ~0 to match all
  267. * @minor: device file minor number, ~0 to match all
  268. * @access: permission mask (DEVCG_ACC_READ, DEVCG_ACC_WRITE, DEVCG_ACC_MKNOD)
  269. *
  270. * It is considered a complete match if an exception is found that will
  271. * contain the entire range of provided parameters.
  272. *
  273. * Return: true in case it matches an exception completely
  274. */
  275. static bool match_exception(struct list_head *exceptions, short type,
  276. u32 major, u32 minor, short access)
  277. {
  278. struct dev_exception_item *ex;
  279. list_for_each_entry_rcu(ex, exceptions, list) {
  280. if ((type & DEVCG_DEV_BLOCK) && !(ex->type & DEVCG_DEV_BLOCK))
  281. continue;
  282. if ((type & DEVCG_DEV_CHAR) && !(ex->type & DEVCG_DEV_CHAR))
  283. continue;
  284. if (ex->major != ~0 && ex->major != major)
  285. continue;
  286. if (ex->minor != ~0 && ex->minor != minor)
  287. continue;
  288. /* provided access cannot have more than the exception rule */
  289. if (access & (~ex->access))
  290. continue;
  291. return true;
  292. }
  293. return false;
  294. }
  295. /**
  296. * match_exception_partial - iterates the exception list trying to find a partial match
  297. * @exceptions: list of exceptions
  298. * @type: device type (DEVCG_DEV_BLOCK or DEVCG_DEV_CHAR)
  299. * @major: device file major number, ~0 to match all
  300. * @minor: device file minor number, ~0 to match all
  301. * @access: permission mask (DEVCG_ACC_READ, DEVCG_ACC_WRITE, DEVCG_ACC_MKNOD)
  302. *
  303. * It is considered a partial match if an exception's range is found to
  304. * contain *any* of the devices specified by provided parameters. This is
  305. * used to make sure no extra access is being granted that is forbidden by
  306. * any of the exception list.
  307. *
  308. * Return: true in case the provided range mat matches an exception completely
  309. */
  310. static bool match_exception_partial(struct list_head *exceptions, short type,
  311. u32 major, u32 minor, short access)
  312. {
  313. struct dev_exception_item *ex;
  314. list_for_each_entry_rcu(ex, exceptions, list,
  315. lockdep_is_held(&devcgroup_mutex)) {
  316. if ((type & DEVCG_DEV_BLOCK) && !(ex->type & DEVCG_DEV_BLOCK))
  317. continue;
  318. if ((type & DEVCG_DEV_CHAR) && !(ex->type & DEVCG_DEV_CHAR))
  319. continue;
  320. /*
  321. * We must be sure that both the exception and the provided
  322. * range aren't masking all devices
  323. */
  324. if (ex->major != ~0 && major != ~0 && ex->major != major)
  325. continue;
  326. if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
  327. continue;
  328. /*
  329. * In order to make sure the provided range isn't matching
  330. * an exception, all its access bits shouldn't match the
  331. * exception's access bits
  332. */
  333. if (!(access & ex->access))
  334. continue;
  335. return true;
  336. }
  337. return false;
  338. }
  339. /**
  340. * verify_new_ex - verifies if a new exception is allowed by parent cgroup's permissions
  341. * @dev_cgroup: dev cgroup to be tested against
  342. * @refex: new exception
  343. * @behavior: behavior of the exception's dev_cgroup
  344. *
  345. * This is used to make sure a child cgroup won't have more privileges
  346. * than its parent
  347. */
  348. static bool verify_new_ex(struct dev_cgroup *dev_cgroup,
  349. struct dev_exception_item *refex,
  350. enum devcg_behavior behavior)
  351. {
  352. bool match = false;
  353. RCU_LOCKDEP_WARN(!rcu_read_lock_held() &&
  354. !lockdep_is_held(&devcgroup_mutex),
  355. "device_cgroup:verify_new_ex called without proper synchronization");
  356. if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW) {
  357. if (behavior == DEVCG_DEFAULT_ALLOW) {
  358. /*
  359. * new exception in the child doesn't matter, only
  360. * adding extra restrictions
  361. */
  362. return true;
  363. } else {
  364. /*
  365. * new exception in the child will add more devices
  366. * that can be acessed, so it can't match any of
  367. * parent's exceptions, even slightly
  368. */
  369. match = match_exception_partial(&dev_cgroup->exceptions,
  370. refex->type,
  371. refex->major,
  372. refex->minor,
  373. refex->access);
  374. if (match)
  375. return false;
  376. return true;
  377. }
  378. } else {
  379. /*
  380. * Only behavior == DEVCG_DEFAULT_DENY allowed here, therefore
  381. * the new exception will add access to more devices and must
  382. * be contained completely in an parent's exception to be
  383. * allowed
  384. */
  385. match = match_exception(&dev_cgroup->exceptions, refex->type,
  386. refex->major, refex->minor,
  387. refex->access);
  388. if (match)
  389. /* parent has an exception that matches the proposed */
  390. return true;
  391. else
  392. return false;
  393. }
  394. return false;
  395. }
  396. /*
  397. * parent_has_perm:
  398. * when adding a new allow rule to a device exception list, the rule
  399. * must be allowed in the parent device
  400. */
  401. static int parent_has_perm(struct dev_cgroup *childcg,
  402. struct dev_exception_item *ex)
  403. {
  404. struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent);
  405. if (!parent)
  406. return 1;
  407. return verify_new_ex(parent, ex, childcg->behavior);
  408. }
  409. /**
  410. * parent_allows_removal - verify if it's ok to remove an exception
  411. * @childcg: child cgroup from where the exception will be removed
  412. * @ex: exception being removed
  413. *
  414. * When removing an exception in cgroups with default ALLOW policy, it must
  415. * be checked if removing it will give the child cgroup more access than the
  416. * parent.
  417. *
  418. * Return: true if it's ok to remove exception, false otherwise
  419. */
  420. static bool parent_allows_removal(struct dev_cgroup *childcg,
  421. struct dev_exception_item *ex)
  422. {
  423. struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent);
  424. if (!parent)
  425. return true;
  426. /* It's always allowed to remove access to devices */
  427. if (childcg->behavior == DEVCG_DEFAULT_DENY)
  428. return true;
  429. /*
  430. * Make sure you're not removing part or a whole exception existing in
  431. * the parent cgroup
  432. */
  433. return !match_exception_partial(&parent->exceptions, ex->type,
  434. ex->major, ex->minor, ex->access);
  435. }
  436. /**
  437. * may_allow_all - checks if it's possible to change the behavior to
  438. * allow based on parent's rules.
  439. * @parent: device cgroup's parent
  440. * returns: != 0 in case it's allowed, 0 otherwise
  441. */
  442. static inline int may_allow_all(struct dev_cgroup *parent)
  443. {
  444. if (!parent)
  445. return 1;
  446. return parent->behavior == DEVCG_DEFAULT_ALLOW;
  447. }
  448. /**
  449. * revalidate_active_exceptions - walks through the active exception list and
  450. * revalidates the exceptions based on parent's
  451. * behavior and exceptions. The exceptions that
  452. * are no longer valid will be removed.
  453. * Called with devcgroup_mutex held.
  454. * @devcg: cgroup which exceptions will be checked
  455. *
  456. * This is one of the three key functions for hierarchy implementation.
  457. * This function is responsible for re-evaluating all the cgroup's active
  458. * exceptions due to a parent's exception change.
  459. * Refer to Documentation/admin-guide/cgroup-v1/devices.rst for more details.
  460. */
  461. static void revalidate_active_exceptions(struct dev_cgroup *devcg)
  462. {
  463. struct dev_exception_item *ex;
  464. struct list_head *this, *tmp;
  465. list_for_each_safe(this, tmp, &devcg->exceptions) {
  466. ex = container_of(this, struct dev_exception_item, list);
  467. if (!parent_has_perm(devcg, ex))
  468. dev_exception_rm(devcg, ex);
  469. }
  470. }
  471. /**
  472. * propagate_exception - propagates a new exception to the children
  473. * @devcg_root: device cgroup that added a new exception
  474. * @ex: new exception to be propagated
  475. *
  476. * returns: 0 in case of success, != 0 in case of error
  477. */
  478. static int propagate_exception(struct dev_cgroup *devcg_root,
  479. struct dev_exception_item *ex)
  480. {
  481. struct cgroup_subsys_state *pos;
  482. int rc = 0;
  483. rcu_read_lock();
  484. css_for_each_descendant_pre(pos, &devcg_root->css) {
  485. struct dev_cgroup *devcg = css_to_devcgroup(pos);
  486. /*
  487. * Because devcgroup_mutex is held, no devcg will become
  488. * online or offline during the tree walk (see on/offline
  489. * methods), and online ones are safe to access outside RCU
  490. * read lock without bumping refcnt.
  491. */
  492. if (pos == &devcg_root->css || !is_devcg_online(devcg))
  493. continue;
  494. rcu_read_unlock();
  495. /*
  496. * in case both root's behavior and devcg is allow, a new
  497. * restriction means adding to the exception list
  498. */
  499. if (devcg_root->behavior == DEVCG_DEFAULT_ALLOW &&
  500. devcg->behavior == DEVCG_DEFAULT_ALLOW) {
  501. rc = dev_exception_add(devcg, ex);
  502. if (rc)
  503. return rc;
  504. } else {
  505. /*
  506. * in the other possible cases:
  507. * root's behavior: allow, devcg's: deny
  508. * root's behavior: deny, devcg's: deny
  509. * the exception will be removed
  510. */
  511. dev_exception_rm(devcg, ex);
  512. }
  513. revalidate_active_exceptions(devcg);
  514. rcu_read_lock();
  515. }
  516. rcu_read_unlock();
  517. return rc;
  518. }
  519. /*
  520. * Modify the exception list using allow/deny rules.
  521. * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD
  522. * so we can give a container CAP_MKNOD to let it create devices but not
  523. * modify the exception list.
  524. * It seems likely we'll want to add a CAP_CONTAINER capability to allow
  525. * us to also grant CAP_SYS_ADMIN to containers without giving away the
  526. * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN
  527. *
  528. * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting
  529. * new access is only allowed if you're in the top-level cgroup, or your
  530. * parent cgroup has the access you're asking for.
  531. */
  532. static int devcgroup_update_access(struct dev_cgroup *devcgroup,
  533. int filetype, char *buffer)
  534. {
  535. const char *b;
  536. char temp[12]; /* 11 + 1 characters needed for a u32 */
  537. int count, rc = 0;
  538. struct dev_exception_item ex;
  539. struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent);
  540. struct dev_cgroup tmp_devcgrp;
  541. if (!capable(CAP_SYS_ADMIN))
  542. return -EPERM;
  543. memset(&ex, 0, sizeof(ex));
  544. memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp));
  545. b = buffer;
  546. switch (*b) {
  547. case 'a':
  548. switch (filetype) {
  549. case DEVCG_ALLOW:
  550. if (css_has_online_children(&devcgroup->css))
  551. return -EINVAL;
  552. if (!may_allow_all(parent))
  553. return -EPERM;
  554. if (!parent) {
  555. devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
  556. dev_exception_clean(devcgroup);
  557. break;
  558. }
  559. INIT_LIST_HEAD(&tmp_devcgrp.exceptions);
  560. rc = dev_exceptions_copy(&tmp_devcgrp.exceptions,
  561. &devcgroup->exceptions);
  562. if (rc)
  563. return rc;
  564. dev_exception_clean(devcgroup);
  565. rc = dev_exceptions_copy(&devcgroup->exceptions,
  566. &parent->exceptions);
  567. if (rc) {
  568. dev_exceptions_move(&devcgroup->exceptions,
  569. &tmp_devcgrp.exceptions);
  570. return rc;
  571. }
  572. devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
  573. dev_exception_clean(&tmp_devcgrp);
  574. break;
  575. case DEVCG_DENY:
  576. if (css_has_online_children(&devcgroup->css))
  577. return -EINVAL;
  578. dev_exception_clean(devcgroup);
  579. devcgroup->behavior = DEVCG_DEFAULT_DENY;
  580. break;
  581. default:
  582. return -EINVAL;
  583. }
  584. return 0;
  585. case 'b':
  586. ex.type = DEVCG_DEV_BLOCK;
  587. break;
  588. case 'c':
  589. ex.type = DEVCG_DEV_CHAR;
  590. break;
  591. default:
  592. return -EINVAL;
  593. }
  594. b++;
  595. if (!isspace(*b))
  596. return -EINVAL;
  597. b++;
  598. if (*b == '*') {
  599. ex.major = ~0;
  600. b++;
  601. } else if (isdigit(*b)) {
  602. memset(temp, 0, sizeof(temp));
  603. for (count = 0; count < sizeof(temp) - 1; count++) {
  604. temp[count] = *b;
  605. b++;
  606. if (!isdigit(*b))
  607. break;
  608. }
  609. rc = kstrtou32(temp, 10, &ex.major);
  610. if (rc)
  611. return -EINVAL;
  612. } else {
  613. return -EINVAL;
  614. }
  615. if (*b != ':')
  616. return -EINVAL;
  617. b++;
  618. /* read minor */
  619. if (*b == '*') {
  620. ex.minor = ~0;
  621. b++;
  622. } else if (isdigit(*b)) {
  623. memset(temp, 0, sizeof(temp));
  624. for (count = 0; count < sizeof(temp) - 1; count++) {
  625. temp[count] = *b;
  626. b++;
  627. if (!isdigit(*b))
  628. break;
  629. }
  630. rc = kstrtou32(temp, 10, &ex.minor);
  631. if (rc)
  632. return -EINVAL;
  633. } else {
  634. return -EINVAL;
  635. }
  636. if (!isspace(*b))
  637. return -EINVAL;
  638. for (b++, count = 0; count < 3; count++, b++) {
  639. switch (*b) {
  640. case 'r':
  641. ex.access |= DEVCG_ACC_READ;
  642. break;
  643. case 'w':
  644. ex.access |= DEVCG_ACC_WRITE;
  645. break;
  646. case 'm':
  647. ex.access |= DEVCG_ACC_MKNOD;
  648. break;
  649. case '\n':
  650. case '\0':
  651. count = 3;
  652. break;
  653. default:
  654. return -EINVAL;
  655. }
  656. }
  657. switch (filetype) {
  658. case DEVCG_ALLOW:
  659. /*
  660. * If the default policy is to allow by default, try to remove
  661. * an matching exception instead. And be silent about it: we
  662. * don't want to break compatibility
  663. */
  664. if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
  665. /* Check if the parent allows removing it first */
  666. if (!parent_allows_removal(devcgroup, &ex))
  667. return -EPERM;
  668. dev_exception_rm(devcgroup, &ex);
  669. break;
  670. }
  671. if (!parent_has_perm(devcgroup, &ex))
  672. return -EPERM;
  673. rc = dev_exception_add(devcgroup, &ex);
  674. break;
  675. case DEVCG_DENY:
  676. /*
  677. * If the default policy is to deny by default, try to remove
  678. * an matching exception instead. And be silent about it: we
  679. * don't want to break compatibility
  680. */
  681. if (devcgroup->behavior == DEVCG_DEFAULT_DENY)
  682. dev_exception_rm(devcgroup, &ex);
  683. else
  684. rc = dev_exception_add(devcgroup, &ex);
  685. if (rc)
  686. break;
  687. /* we only propagate new restrictions */
  688. rc = propagate_exception(devcgroup, &ex);
  689. break;
  690. default:
  691. rc = -EINVAL;
  692. }
  693. return rc;
  694. }
  695. static ssize_t devcgroup_access_write(struct kernfs_open_file *of,
  696. char *buf, size_t nbytes, loff_t off)
  697. {
  698. int retval;
  699. mutex_lock(&devcgroup_mutex);
  700. retval = devcgroup_update_access(css_to_devcgroup(of_css(of)),
  701. of_cft(of)->private, strstrip(buf));
  702. mutex_unlock(&devcgroup_mutex);
  703. return retval ?: nbytes;
  704. }
  705. static struct cftype dev_cgroup_files[] = {
  706. {
  707. .name = "allow",
  708. .write = devcgroup_access_write,
  709. .private = DEVCG_ALLOW,
  710. },
  711. {
  712. .name = "deny",
  713. .write = devcgroup_access_write,
  714. .private = DEVCG_DENY,
  715. },
  716. {
  717. .name = "list",
  718. .seq_show = devcgroup_seq_show,
  719. .private = DEVCG_LIST,
  720. },
  721. { } /* terminate */
  722. };
  723. struct cgroup_subsys devices_cgrp_subsys = {
  724. .css_alloc = devcgroup_css_alloc,
  725. .css_free = devcgroup_css_free,
  726. .css_online = devcgroup_online,
  727. .css_offline = devcgroup_offline,
  728. .legacy_cftypes = dev_cgroup_files,
  729. };
  730. /**
  731. * devcgroup_legacy_check_permission - checks if an inode operation is permitted
  732. * @dev_cgroup: the dev cgroup to be tested against
  733. * @type: device type
  734. * @major: device major number
  735. * @minor: device minor number
  736. * @access: combination of DEVCG_ACC_WRITE, DEVCG_ACC_READ and DEVCG_ACC_MKNOD
  737. *
  738. * returns 0 on success, -EPERM case the operation is not permitted
  739. */
  740. static int devcgroup_legacy_check_permission(short type, u32 major, u32 minor,
  741. short access)
  742. {
  743. struct dev_cgroup *dev_cgroup;
  744. bool rc;
  745. rcu_read_lock();
  746. dev_cgroup = task_devcgroup(current);
  747. if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW)
  748. /* Can't match any of the exceptions, even partially */
  749. rc = !match_exception_partial(&dev_cgroup->exceptions,
  750. type, major, minor, access);
  751. else
  752. /* Need to match completely one exception to be allowed */
  753. rc = match_exception(&dev_cgroup->exceptions, type, major,
  754. minor, access);
  755. rcu_read_unlock();
  756. if (!rc)
  757. return -EPERM;
  758. return 0;
  759. }
  760. #endif /* CONFIG_CGROUP_DEVICE */
  761. #if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
  762. int devcgroup_check_permission(short type, u32 major, u32 minor, short access)
  763. {
  764. int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
  765. if (rc)
  766. return rc;
  767. #ifdef CONFIG_CGROUP_DEVICE
  768. return devcgroup_legacy_check_permission(type, major, minor, access);
  769. #else /* CONFIG_CGROUP_DEVICE */
  770. return 0;
  771. #endif /* CONFIG_CGROUP_DEVICE */
  772. }
  773. EXPORT_SYMBOL(devcgroup_check_permission);
  774. #endif /* defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) */