device_cgroup.c 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * device_cgroup.c - device cgroup subsystem
  4. *
  5. * Copyright 2007 IBM Corp
  6. */
  7. #include <linux/bpf-cgroup.h>
  8. #include <linux/device_cgroup.h>
  9. #include <linux/cgroup.h>
  10. #include <linux/ctype.h>
  11. #include <linux/list.h>
  12. #include <linux/uaccess.h>
  13. #include <linux/seq_file.h>
  14. #include <linux/slab.h>
  15. #include <linux/rcupdate.h>
  16. #include <linux/mutex.h>
  17. #ifdef CONFIG_CGROUP_DEVICE
  18. static DEFINE_MUTEX(devcgroup_mutex);
  19. enum devcg_behavior {
  20. DEVCG_DEFAULT_NONE,
  21. DEVCG_DEFAULT_ALLOW,
  22. DEVCG_DEFAULT_DENY,
  23. };
  24. /*
  25. * exception list locking rules:
  26. * hold devcgroup_mutex for update/read.
  27. * hold rcu_read_lock() for read.
  28. */
  29. struct dev_exception_item {
  30. u32 major, minor;
  31. short type;
  32. short access;
  33. struct list_head list;
  34. struct rcu_head rcu;
  35. };
  36. struct dev_cgroup {
  37. struct cgroup_subsys_state css;
  38. struct list_head exceptions;
  39. enum devcg_behavior behavior;
  40. };
  41. static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
  42. {
  43. return s ? container_of(s, struct dev_cgroup, css) : NULL;
  44. }
  45. static inline struct dev_cgroup *task_devcgroup(struct task_struct *task)
  46. {
  47. return css_to_devcgroup(task_css(task, devices_cgrp_id));
  48. }
  49. /*
  50. * called under devcgroup_mutex
  51. */
  52. static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig)
  53. {
  54. struct dev_exception_item *ex, *tmp, *new;
  55. lockdep_assert_held(&devcgroup_mutex);
  56. list_for_each_entry(ex, orig, list) {
  57. new = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
  58. if (!new)
  59. goto free_and_exit;
  60. list_add_tail(&new->list, dest);
  61. }
  62. return 0;
  63. free_and_exit:
  64. list_for_each_entry_safe(ex, tmp, dest, list) {
  65. list_del(&ex->list);
  66. kfree(ex);
  67. }
  68. return -ENOMEM;
  69. }
  70. static void dev_exceptions_move(struct list_head *dest, struct list_head *orig)
  71. {
  72. struct dev_exception_item *ex, *tmp;
  73. lockdep_assert_held(&devcgroup_mutex);
  74. list_for_each_entry_safe(ex, tmp, orig, list) {
  75. list_move_tail(&ex->list, dest);
  76. }
  77. }
  78. /*
  79. * called under devcgroup_mutex
  80. */
  81. static int dev_exception_add(struct dev_cgroup *dev_cgroup,
  82. struct dev_exception_item *ex)
  83. {
  84. struct dev_exception_item *excopy, *walk;
  85. lockdep_assert_held(&devcgroup_mutex);
  86. excopy = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
  87. if (!excopy)
  88. return -ENOMEM;
  89. list_for_each_entry(walk, &dev_cgroup->exceptions, list) {
  90. if (walk->type != ex->type)
  91. continue;
  92. if (walk->major != ex->major)
  93. continue;
  94. if (walk->minor != ex->minor)
  95. continue;
  96. walk->access |= ex->access;
  97. kfree(excopy);
  98. excopy = NULL;
  99. }
  100. if (excopy != NULL)
  101. list_add_tail_rcu(&excopy->list, &dev_cgroup->exceptions);
  102. return 0;
  103. }
  104. /*
  105. * called under devcgroup_mutex
  106. */
  107. static void dev_exception_rm(struct dev_cgroup *dev_cgroup,
  108. struct dev_exception_item *ex)
  109. {
  110. struct dev_exception_item *walk, *tmp;
  111. lockdep_assert_held(&devcgroup_mutex);
  112. list_for_each_entry_safe(walk, tmp, &dev_cgroup->exceptions, list) {
  113. if (walk->type != ex->type)
  114. continue;
  115. if (walk->major != ex->major)
  116. continue;
  117. if (walk->minor != ex->minor)
  118. continue;
  119. walk->access &= ~ex->access;
  120. if (!walk->access) {
  121. list_del_rcu(&walk->list);
  122. kfree_rcu(walk, rcu);
  123. }
  124. }
  125. }
  126. static void __dev_exception_clean(struct dev_cgroup *dev_cgroup)
  127. {
  128. struct dev_exception_item *ex, *tmp;
  129. list_for_each_entry_safe(ex, tmp, &dev_cgroup->exceptions, list) {
  130. list_del_rcu(&ex->list);
  131. kfree_rcu(ex, rcu);
  132. }
  133. }
  134. /**
  135. * dev_exception_clean - frees all entries of the exception list
  136. * @dev_cgroup: dev_cgroup with the exception list to be cleaned
  137. *
  138. * called under devcgroup_mutex
  139. */
  140. static void dev_exception_clean(struct dev_cgroup *dev_cgroup)
  141. {
  142. lockdep_assert_held(&devcgroup_mutex);
  143. __dev_exception_clean(dev_cgroup);
  144. }
  145. static inline bool is_devcg_online(const struct dev_cgroup *devcg)
  146. {
  147. return (devcg->behavior != DEVCG_DEFAULT_NONE);
  148. }
  149. /**
  150. * devcgroup_online - initializes devcgroup's behavior and exceptions based on
  151. * parent's
  152. * @css: css getting online
  153. * returns 0 in case of success, error code otherwise
  154. */
  155. static int devcgroup_online(struct cgroup_subsys_state *css)
  156. {
  157. struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
  158. struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css->parent);
  159. int ret = 0;
  160. mutex_lock(&devcgroup_mutex);
  161. if (parent_dev_cgroup == NULL)
  162. dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
  163. else {
  164. ret = dev_exceptions_copy(&dev_cgroup->exceptions,
  165. &parent_dev_cgroup->exceptions);
  166. if (!ret)
  167. dev_cgroup->behavior = parent_dev_cgroup->behavior;
  168. }
  169. mutex_unlock(&devcgroup_mutex);
  170. return ret;
  171. }
  172. static void devcgroup_offline(struct cgroup_subsys_state *css)
  173. {
  174. struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
  175. mutex_lock(&devcgroup_mutex);
  176. dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
  177. mutex_unlock(&devcgroup_mutex);
  178. }
  179. /*
  180. * called from kernel/cgroup/cgroup.c with cgroup_lock() held.
  181. */
  182. static struct cgroup_subsys_state *
  183. devcgroup_css_alloc(struct cgroup_subsys_state *parent_css)
  184. {
  185. struct dev_cgroup *dev_cgroup;
  186. dev_cgroup = kzalloc_obj(*dev_cgroup);
  187. if (!dev_cgroup)
  188. return ERR_PTR(-ENOMEM);
  189. INIT_LIST_HEAD(&dev_cgroup->exceptions);
  190. dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
  191. return &dev_cgroup->css;
  192. }
  193. static void devcgroup_css_free(struct cgroup_subsys_state *css)
  194. {
  195. struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
  196. __dev_exception_clean(dev_cgroup);
  197. kfree(dev_cgroup);
  198. }
  199. #define DEVCG_ALLOW 1
  200. #define DEVCG_DENY 2
  201. #define DEVCG_LIST 3
  202. static void seq_putaccess(struct seq_file *m, short access)
  203. {
  204. if (access & DEVCG_ACC_READ)
  205. seq_putc(m, 'r');
  206. if (access & DEVCG_ACC_WRITE)
  207. seq_putc(m, 'w');
  208. if (access & DEVCG_ACC_MKNOD)
  209. seq_putc(m, 'm');
  210. }
  211. static void seq_puttype(struct seq_file *m, short type)
  212. {
  213. if (type == DEVCG_DEV_ALL)
  214. seq_putc(m, 'a');
  215. else if (type == DEVCG_DEV_CHAR)
  216. seq_putc(m, 'c');
  217. else if (type == DEVCG_DEV_BLOCK)
  218. seq_putc(m, 'b');
  219. else
  220. seq_putc(m, 'X');
  221. }
  222. static void seq_putversion(struct seq_file *m, unsigned int version)
  223. {
  224. if (version == ~0)
  225. seq_putc(m, '*');
  226. else
  227. seq_printf(m, "%u", version);
  228. }
  229. static int devcgroup_seq_show(struct seq_file *m, void *v)
  230. {
  231. struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m));
  232. struct dev_exception_item *ex;
  233. rcu_read_lock();
  234. /*
  235. * To preserve the compatibility:
  236. * - Only show the "all devices" when the default policy is to allow
  237. * - List the exceptions in case the default policy is to deny
  238. * This way, the file remains as a "whitelist of devices"
  239. */
  240. if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
  241. seq_puts(m, "a *:* rwm\n");
  242. } else {
  243. list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
  244. seq_puttype(m, ex->type);
  245. seq_putc(m, ' ');
  246. seq_putversion(m, ex->major);
  247. seq_putc(m, ':');
  248. seq_putversion(m, ex->minor);
  249. seq_putc(m, ' ');
  250. seq_putaccess(m, ex->access);
  251. seq_putc(m, '\n');
  252. }
  253. }
  254. rcu_read_unlock();
  255. return 0;
  256. }
  257. /**
  258. * match_exception - iterates the exception list trying to find a complete match
  259. * @exceptions: list of exceptions
  260. * @type: device type (DEVCG_DEV_BLOCK or DEVCG_DEV_CHAR)
  261. * @major: device file major number, ~0 to match all
  262. * @minor: device file minor number, ~0 to match all
  263. * @access: permission mask (DEVCG_ACC_READ, DEVCG_ACC_WRITE, DEVCG_ACC_MKNOD)
  264. *
  265. * It is considered a complete match if an exception is found that will
  266. * contain the entire range of provided parameters.
  267. *
  268. * Return: true in case it matches an exception completely
  269. */
  270. static bool match_exception(struct list_head *exceptions, short type,
  271. u32 major, u32 minor, short access)
  272. {
  273. struct dev_exception_item *ex;
  274. list_for_each_entry_rcu(ex, exceptions, list) {
  275. if ((type & DEVCG_DEV_BLOCK) && !(ex->type & DEVCG_DEV_BLOCK))
  276. continue;
  277. if ((type & DEVCG_DEV_CHAR) && !(ex->type & DEVCG_DEV_CHAR))
  278. continue;
  279. if (ex->major != ~0 && ex->major != major)
  280. continue;
  281. if (ex->minor != ~0 && ex->minor != minor)
  282. continue;
  283. /* provided access cannot have more than the exception rule */
  284. if (access & (~ex->access))
  285. continue;
  286. return true;
  287. }
  288. return false;
  289. }
  290. /**
  291. * match_exception_partial - iterates the exception list trying to find a partial match
  292. * @exceptions: list of exceptions
  293. * @type: device type (DEVCG_DEV_BLOCK or DEVCG_DEV_CHAR)
  294. * @major: device file major number, ~0 to match all
  295. * @minor: device file minor number, ~0 to match all
  296. * @access: permission mask (DEVCG_ACC_READ, DEVCG_ACC_WRITE, DEVCG_ACC_MKNOD)
  297. *
  298. * It is considered a partial match if an exception's range is found to
  299. * contain *any* of the devices specified by provided parameters. This is
  300. * used to make sure no extra access is being granted that is forbidden by
  301. * any of the exception list.
  302. *
  303. * Return: true in case the provided range mat matches an exception completely
  304. */
  305. static bool match_exception_partial(struct list_head *exceptions, short type,
  306. u32 major, u32 minor, short access)
  307. {
  308. struct dev_exception_item *ex;
  309. list_for_each_entry_rcu(ex, exceptions, list,
  310. lockdep_is_held(&devcgroup_mutex)) {
  311. if ((type & DEVCG_DEV_BLOCK) && !(ex->type & DEVCG_DEV_BLOCK))
  312. continue;
  313. if ((type & DEVCG_DEV_CHAR) && !(ex->type & DEVCG_DEV_CHAR))
  314. continue;
  315. /*
  316. * We must be sure that both the exception and the provided
  317. * range aren't masking all devices
  318. */
  319. if (ex->major != ~0 && major != ~0 && ex->major != major)
  320. continue;
  321. if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
  322. continue;
  323. /*
  324. * In order to make sure the provided range isn't matching
  325. * an exception, all its access bits shouldn't match the
  326. * exception's access bits
  327. */
  328. if (!(access & ex->access))
  329. continue;
  330. return true;
  331. }
  332. return false;
  333. }
  334. /**
  335. * verify_new_ex - verifies if a new exception is allowed by parent cgroup's permissions
  336. * @dev_cgroup: dev cgroup to be tested against
  337. * @refex: new exception
  338. * @behavior: behavior of the exception's dev_cgroup
  339. *
  340. * This is used to make sure a child cgroup won't have more privileges
  341. * than its parent
  342. */
  343. static bool verify_new_ex(struct dev_cgroup *dev_cgroup,
  344. struct dev_exception_item *refex,
  345. enum devcg_behavior behavior)
  346. {
  347. bool match = false;
  348. RCU_LOCKDEP_WARN(!rcu_read_lock_held() &&
  349. !lockdep_is_held(&devcgroup_mutex),
  350. "device_cgroup:verify_new_ex called without proper synchronization");
  351. if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW) {
  352. if (behavior == DEVCG_DEFAULT_ALLOW) {
  353. /*
  354. * new exception in the child doesn't matter, only
  355. * adding extra restrictions
  356. */
  357. return true;
  358. } else {
  359. /*
  360. * new exception in the child will add more devices
  361. * that can be accessed, so it can't match any of
  362. * parent's exceptions, even slightly
  363. */
  364. match = match_exception_partial(&dev_cgroup->exceptions,
  365. refex->type,
  366. refex->major,
  367. refex->minor,
  368. refex->access);
  369. if (match)
  370. return false;
  371. return true;
  372. }
  373. } else {
  374. /*
  375. * Only behavior == DEVCG_DEFAULT_DENY allowed here, therefore
  376. * the new exception will add access to more devices and must
  377. * be contained completely in an parent's exception to be
  378. * allowed
  379. */
  380. match = match_exception(&dev_cgroup->exceptions, refex->type,
  381. refex->major, refex->minor,
  382. refex->access);
  383. if (match)
  384. /* parent has an exception that matches the proposed */
  385. return true;
  386. else
  387. return false;
  388. }
  389. return false;
  390. }
  391. /*
  392. * parent_has_perm:
  393. * when adding a new allow rule to a device exception list, the rule
  394. * must be allowed in the parent device
  395. */
  396. static int parent_has_perm(struct dev_cgroup *childcg,
  397. struct dev_exception_item *ex)
  398. {
  399. struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent);
  400. if (!parent)
  401. return 1;
  402. return verify_new_ex(parent, ex, childcg->behavior);
  403. }
  404. /**
  405. * parent_allows_removal - verify if it's ok to remove an exception
  406. * @childcg: child cgroup from where the exception will be removed
  407. * @ex: exception being removed
  408. *
  409. * When removing an exception in cgroups with default ALLOW policy, it must
  410. * be checked if removing it will give the child cgroup more access than the
  411. * parent.
  412. *
  413. * Return: true if it's ok to remove exception, false otherwise
  414. */
  415. static bool parent_allows_removal(struct dev_cgroup *childcg,
  416. struct dev_exception_item *ex)
  417. {
  418. struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent);
  419. if (!parent)
  420. return true;
  421. /* It's always allowed to remove access to devices */
  422. if (childcg->behavior == DEVCG_DEFAULT_DENY)
  423. return true;
  424. /*
  425. * Make sure you're not removing part or a whole exception existing in
  426. * the parent cgroup
  427. */
  428. return !match_exception_partial(&parent->exceptions, ex->type,
  429. ex->major, ex->minor, ex->access);
  430. }
  431. /**
  432. * may_allow_all - checks if it's possible to change the behavior to
  433. * allow based on parent's rules.
  434. * @parent: device cgroup's parent
  435. * returns: != 0 in case it's allowed, 0 otherwise
  436. */
  437. static inline int may_allow_all(struct dev_cgroup *parent)
  438. {
  439. if (!parent)
  440. return 1;
  441. return parent->behavior == DEVCG_DEFAULT_ALLOW;
  442. }
  443. /**
  444. * revalidate_active_exceptions - walks through the active exception list and
  445. * revalidates the exceptions based on parent's
  446. * behavior and exceptions. The exceptions that
  447. * are no longer valid will be removed.
  448. * Called with devcgroup_mutex held.
  449. * @devcg: cgroup which exceptions will be checked
  450. *
  451. * This is one of the three key functions for hierarchy implementation.
  452. * This function is responsible for re-evaluating all the cgroup's active
  453. * exceptions due to a parent's exception change.
  454. * Refer to Documentation/admin-guide/cgroup-v1/devices.rst for more details.
  455. */
  456. static void revalidate_active_exceptions(struct dev_cgroup *devcg)
  457. {
  458. struct dev_exception_item *ex;
  459. struct list_head *this, *tmp;
  460. list_for_each_safe(this, tmp, &devcg->exceptions) {
  461. ex = container_of(this, struct dev_exception_item, list);
  462. if (!parent_has_perm(devcg, ex))
  463. dev_exception_rm(devcg, ex);
  464. }
  465. }
  466. /**
  467. * propagate_exception - propagates a new exception to the children
  468. * @devcg_root: device cgroup that added a new exception
  469. * @ex: new exception to be propagated
  470. *
  471. * returns: 0 in case of success, != 0 in case of error
  472. */
  473. static int propagate_exception(struct dev_cgroup *devcg_root,
  474. struct dev_exception_item *ex)
  475. {
  476. struct cgroup_subsys_state *pos;
  477. int rc = 0;
  478. rcu_read_lock();
  479. css_for_each_descendant_pre(pos, &devcg_root->css) {
  480. struct dev_cgroup *devcg = css_to_devcgroup(pos);
  481. /*
  482. * Because devcgroup_mutex is held, no devcg will become
  483. * online or offline during the tree walk (see on/offline
  484. * methods), and online ones are safe to access outside RCU
  485. * read lock without bumping refcnt.
  486. */
  487. if (pos == &devcg_root->css || !is_devcg_online(devcg))
  488. continue;
  489. rcu_read_unlock();
  490. /*
  491. * in case both root's behavior and devcg is allow, a new
  492. * restriction means adding to the exception list
  493. */
  494. if (devcg_root->behavior == DEVCG_DEFAULT_ALLOW &&
  495. devcg->behavior == DEVCG_DEFAULT_ALLOW) {
  496. rc = dev_exception_add(devcg, ex);
  497. if (rc)
  498. return rc;
  499. } else {
  500. /*
  501. * in the other possible cases:
  502. * root's behavior: allow, devcg's: deny
  503. * root's behavior: deny, devcg's: deny
  504. * the exception will be removed
  505. */
  506. dev_exception_rm(devcg, ex);
  507. }
  508. revalidate_active_exceptions(devcg);
  509. rcu_read_lock();
  510. }
  511. rcu_read_unlock();
  512. return rc;
  513. }
  514. /*
  515. * Modify the exception list using allow/deny rules.
  516. * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD
  517. * so we can give a container CAP_MKNOD to let it create devices but not
  518. * modify the exception list.
  519. * It seems likely we'll want to add a CAP_CONTAINER capability to allow
  520. * us to also grant CAP_SYS_ADMIN to containers without giving away the
  521. * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN
  522. *
  523. * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting
  524. * new access is only allowed if you're in the top-level cgroup, or your
  525. * parent cgroup has the access you're asking for.
  526. */
  527. static int devcgroup_update_access(struct dev_cgroup *devcgroup,
  528. int filetype, char *buffer)
  529. {
  530. const char *b;
  531. char temp[12]; /* 11 + 1 characters needed for a u32 */
  532. int count, rc = 0;
  533. struct dev_exception_item ex;
  534. struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent);
  535. struct dev_cgroup tmp_devcgrp;
  536. if (!capable(CAP_SYS_ADMIN))
  537. return -EPERM;
  538. memset(&ex, 0, sizeof(ex));
  539. memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp));
  540. b = buffer;
  541. switch (*b) {
  542. case 'a':
  543. switch (filetype) {
  544. case DEVCG_ALLOW:
  545. if (css_has_online_children(&devcgroup->css))
  546. return -EINVAL;
  547. if (!may_allow_all(parent))
  548. return -EPERM;
  549. if (!parent) {
  550. devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
  551. dev_exception_clean(devcgroup);
  552. break;
  553. }
  554. INIT_LIST_HEAD(&tmp_devcgrp.exceptions);
  555. rc = dev_exceptions_copy(&tmp_devcgrp.exceptions,
  556. &devcgroup->exceptions);
  557. if (rc)
  558. return rc;
  559. dev_exception_clean(devcgroup);
  560. rc = dev_exceptions_copy(&devcgroup->exceptions,
  561. &parent->exceptions);
  562. if (rc) {
  563. dev_exceptions_move(&devcgroup->exceptions,
  564. &tmp_devcgrp.exceptions);
  565. return rc;
  566. }
  567. devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
  568. dev_exception_clean(&tmp_devcgrp);
  569. break;
  570. case DEVCG_DENY:
  571. if (css_has_online_children(&devcgroup->css))
  572. return -EINVAL;
  573. dev_exception_clean(devcgroup);
  574. devcgroup->behavior = DEVCG_DEFAULT_DENY;
  575. break;
  576. default:
  577. return -EINVAL;
  578. }
  579. return 0;
  580. case 'b':
  581. ex.type = DEVCG_DEV_BLOCK;
  582. break;
  583. case 'c':
  584. ex.type = DEVCG_DEV_CHAR;
  585. break;
  586. default:
  587. return -EINVAL;
  588. }
  589. b++;
  590. if (!isspace(*b))
  591. return -EINVAL;
  592. b++;
  593. if (*b == '*') {
  594. ex.major = ~0;
  595. b++;
  596. } else if (isdigit(*b)) {
  597. memset(temp, 0, sizeof(temp));
  598. for (count = 0; count < sizeof(temp) - 1; count++) {
  599. temp[count] = *b;
  600. b++;
  601. if (!isdigit(*b))
  602. break;
  603. }
  604. rc = kstrtou32(temp, 10, &ex.major);
  605. if (rc)
  606. return -EINVAL;
  607. } else {
  608. return -EINVAL;
  609. }
  610. if (*b != ':')
  611. return -EINVAL;
  612. b++;
  613. /* read minor */
  614. if (*b == '*') {
  615. ex.minor = ~0;
  616. b++;
  617. } else if (isdigit(*b)) {
  618. memset(temp, 0, sizeof(temp));
  619. for (count = 0; count < sizeof(temp) - 1; count++) {
  620. temp[count] = *b;
  621. b++;
  622. if (!isdigit(*b))
  623. break;
  624. }
  625. rc = kstrtou32(temp, 10, &ex.minor);
  626. if (rc)
  627. return -EINVAL;
  628. } else {
  629. return -EINVAL;
  630. }
  631. if (!isspace(*b))
  632. return -EINVAL;
  633. for (b++, count = 0; count < 3; count++, b++) {
  634. switch (*b) {
  635. case 'r':
  636. ex.access |= DEVCG_ACC_READ;
  637. break;
  638. case 'w':
  639. ex.access |= DEVCG_ACC_WRITE;
  640. break;
  641. case 'm':
  642. ex.access |= DEVCG_ACC_MKNOD;
  643. break;
  644. case '\n':
  645. case '\0':
  646. count = 3;
  647. break;
  648. default:
  649. return -EINVAL;
  650. }
  651. }
  652. switch (filetype) {
  653. case DEVCG_ALLOW:
  654. /*
  655. * If the default policy is to allow by default, try to remove
  656. * an matching exception instead. And be silent about it: we
  657. * don't want to break compatibility
  658. */
  659. if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
  660. /* Check if the parent allows removing it first */
  661. if (!parent_allows_removal(devcgroup, &ex))
  662. return -EPERM;
  663. dev_exception_rm(devcgroup, &ex);
  664. break;
  665. }
  666. if (!parent_has_perm(devcgroup, &ex))
  667. return -EPERM;
  668. rc = dev_exception_add(devcgroup, &ex);
  669. break;
  670. case DEVCG_DENY:
  671. /*
  672. * If the default policy is to deny by default, try to remove
  673. * an matching exception instead. And be silent about it: we
  674. * don't want to break compatibility
  675. */
  676. if (devcgroup->behavior == DEVCG_DEFAULT_DENY)
  677. dev_exception_rm(devcgroup, &ex);
  678. else
  679. rc = dev_exception_add(devcgroup, &ex);
  680. if (rc)
  681. break;
  682. /* we only propagate new restrictions */
  683. rc = propagate_exception(devcgroup, &ex);
  684. break;
  685. default:
  686. rc = -EINVAL;
  687. }
  688. return rc;
  689. }
  690. static ssize_t devcgroup_access_write(struct kernfs_open_file *of,
  691. char *buf, size_t nbytes, loff_t off)
  692. {
  693. int retval;
  694. mutex_lock(&devcgroup_mutex);
  695. retval = devcgroup_update_access(css_to_devcgroup(of_css(of)),
  696. of_cft(of)->private, strstrip(buf));
  697. mutex_unlock(&devcgroup_mutex);
  698. return retval ?: nbytes;
  699. }
  700. static struct cftype dev_cgroup_files[] = {
  701. {
  702. .name = "allow",
  703. .write = devcgroup_access_write,
  704. .private = DEVCG_ALLOW,
  705. },
  706. {
  707. .name = "deny",
  708. .write = devcgroup_access_write,
  709. .private = DEVCG_DENY,
  710. },
  711. {
  712. .name = "list",
  713. .seq_show = devcgroup_seq_show,
  714. .private = DEVCG_LIST,
  715. },
  716. { } /* terminate */
  717. };
  718. struct cgroup_subsys devices_cgrp_subsys = {
  719. .css_alloc = devcgroup_css_alloc,
  720. .css_free = devcgroup_css_free,
  721. .css_online = devcgroup_online,
  722. .css_offline = devcgroup_offline,
  723. .legacy_cftypes = dev_cgroup_files,
  724. };
  725. /**
  726. * devcgroup_legacy_check_permission - checks if an inode operation is permitted
  727. * @type: device type
  728. * @major: device major number
  729. * @minor: device minor number
  730. * @access: combination of DEVCG_ACC_WRITE, DEVCG_ACC_READ and DEVCG_ACC_MKNOD
  731. *
  732. * returns 0 on success, -EPERM case the operation is not permitted
  733. */
  734. static int devcgroup_legacy_check_permission(short type, u32 major, u32 minor,
  735. short access)
  736. {
  737. struct dev_cgroup *dev_cgroup;
  738. bool rc;
  739. rcu_read_lock();
  740. dev_cgroup = task_devcgroup(current);
  741. if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW)
  742. /* Can't match any of the exceptions, even partially */
  743. rc = !match_exception_partial(&dev_cgroup->exceptions,
  744. type, major, minor, access);
  745. else
  746. /* Need to match completely one exception to be allowed */
  747. rc = match_exception(&dev_cgroup->exceptions, type, major,
  748. minor, access);
  749. rcu_read_unlock();
  750. if (!rc)
  751. return -EPERM;
  752. return 0;
  753. }
  754. #endif /* CONFIG_CGROUP_DEVICE */
  755. #if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
  756. int devcgroup_check_permission(short type, u32 major, u32 minor, short access)
  757. {
  758. int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
  759. if (rc)
  760. return rc;
  761. #ifdef CONFIG_CGROUP_DEVICE
  762. return devcgroup_legacy_check_permission(type, major, minor, access);
  763. #else /* CONFIG_CGROUP_DEVICE */
  764. return 0;
  765. #endif /* CONFIG_CGROUP_DEVICE */
  766. }
  767. EXPORT_SYMBOL(devcgroup_check_permission);
  768. #endif /* defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) */