1 // SPDX-License-Identifier: GPL-2.0
3 * device_cgroup.c - device cgroup subsystem
5 * Copyright 2007 IBM Corp
8 #include <linux/device_cgroup.h>
9 #include <linux/cgroup.h>
10 #include <linux/ctype.h>
11 #include <linux/export.h>
12 #include <linux/list.h>
13 #include <linux/uaccess.h>
14 #include <linux/seq_file.h>
15 #include <linux/slab.h>
16 #include <linux/rcupdate.h>
17 #include <linux/mutex.h>
19 static DEFINE_MUTEX(devcgroup_mutex
);
28 * exception list locking rules:
29 * hold devcgroup_mutex for update/read.
30 * hold rcu_read_lock() for read.
33 struct dev_exception_item
{
37 struct list_head list
;
42 struct cgroup_subsys_state css
;
43 struct list_head exceptions
;
44 enum devcg_behavior behavior
;
47 static inline struct dev_cgroup
*css_to_devcgroup(struct cgroup_subsys_state
*s
)
49 return s
? container_of(s
, struct dev_cgroup
, css
) : NULL
;
52 static inline struct dev_cgroup
*task_devcgroup(struct task_struct
*task
)
54 return css_to_devcgroup(task_css(task
, devices_cgrp_id
));
58 * called under devcgroup_mutex
60 static int dev_exceptions_copy(struct list_head
*dest
, struct list_head
*orig
)
62 struct dev_exception_item
*ex
, *tmp
, *new;
64 lockdep_assert_held(&devcgroup_mutex
);
66 list_for_each_entry(ex
, orig
, list
) {
67 new = kmemdup(ex
, sizeof(*ex
), GFP_KERNEL
);
70 list_add_tail(&new->list
, dest
);
76 list_for_each_entry_safe(ex
, tmp
, dest
, list
) {
84 * called under devcgroup_mutex
86 static int dev_exception_add(struct dev_cgroup
*dev_cgroup
,
87 struct dev_exception_item
*ex
)
89 struct dev_exception_item
*excopy
, *walk
;
91 lockdep_assert_held(&devcgroup_mutex
);
93 excopy
= kmemdup(ex
, sizeof(*ex
), GFP_KERNEL
);
97 list_for_each_entry(walk
, &dev_cgroup
->exceptions
, list
) {
98 if (walk
->type
!= ex
->type
)
100 if (walk
->major
!= ex
->major
)
102 if (walk
->minor
!= ex
->minor
)
105 walk
->access
|= ex
->access
;
111 list_add_tail_rcu(&excopy
->list
, &dev_cgroup
->exceptions
);
116 * called under devcgroup_mutex
118 static void dev_exception_rm(struct dev_cgroup
*dev_cgroup
,
119 struct dev_exception_item
*ex
)
121 struct dev_exception_item
*walk
, *tmp
;
123 lockdep_assert_held(&devcgroup_mutex
);
125 list_for_each_entry_safe(walk
, tmp
, &dev_cgroup
->exceptions
, list
) {
126 if (walk
->type
!= ex
->type
)
128 if (walk
->major
!= ex
->major
)
130 if (walk
->minor
!= ex
->minor
)
133 walk
->access
&= ~ex
->access
;
135 list_del_rcu(&walk
->list
);
136 kfree_rcu(walk
, rcu
);
141 static void __dev_exception_clean(struct dev_cgroup
*dev_cgroup
)
143 struct dev_exception_item
*ex
, *tmp
;
145 list_for_each_entry_safe(ex
, tmp
, &dev_cgroup
->exceptions
, list
) {
146 list_del_rcu(&ex
->list
);
152 * dev_exception_clean - frees all entries of the exception list
153 * @dev_cgroup: dev_cgroup with the exception list to be cleaned
155 * called under devcgroup_mutex
157 static void dev_exception_clean(struct dev_cgroup
*dev_cgroup
)
159 lockdep_assert_held(&devcgroup_mutex
);
161 __dev_exception_clean(dev_cgroup
);
164 static inline bool is_devcg_online(const struct dev_cgroup
*devcg
)
166 return (devcg
->behavior
!= DEVCG_DEFAULT_NONE
);
170 * devcgroup_online - initializes devcgroup's behavior and exceptions based on
172 * @css: css getting online
173 * returns 0 in case of success, error code otherwise
175 static int devcgroup_online(struct cgroup_subsys_state
*css
)
177 struct dev_cgroup
*dev_cgroup
= css_to_devcgroup(css
);
178 struct dev_cgroup
*parent_dev_cgroup
= css_to_devcgroup(css
->parent
);
181 mutex_lock(&devcgroup_mutex
);
183 if (parent_dev_cgroup
== NULL
)
184 dev_cgroup
->behavior
= DEVCG_DEFAULT_ALLOW
;
186 ret
= dev_exceptions_copy(&dev_cgroup
->exceptions
,
187 &parent_dev_cgroup
->exceptions
);
189 dev_cgroup
->behavior
= parent_dev_cgroup
->behavior
;
191 mutex_unlock(&devcgroup_mutex
);
196 static void devcgroup_offline(struct cgroup_subsys_state
*css
)
198 struct dev_cgroup
*dev_cgroup
= css_to_devcgroup(css
);
200 mutex_lock(&devcgroup_mutex
);
201 dev_cgroup
->behavior
= DEVCG_DEFAULT_NONE
;
202 mutex_unlock(&devcgroup_mutex
);
206 * called from kernel/cgroup.c with cgroup_lock() held.
208 static struct cgroup_subsys_state
*
209 devcgroup_css_alloc(struct cgroup_subsys_state
*parent_css
)
211 struct dev_cgroup
*dev_cgroup
;
213 dev_cgroup
= kzalloc(sizeof(*dev_cgroup
), GFP_KERNEL
);
215 return ERR_PTR(-ENOMEM
);
216 INIT_LIST_HEAD(&dev_cgroup
->exceptions
);
217 dev_cgroup
->behavior
= DEVCG_DEFAULT_NONE
;
219 return &dev_cgroup
->css
;
222 static void devcgroup_css_free(struct cgroup_subsys_state
*css
)
224 struct dev_cgroup
*dev_cgroup
= css_to_devcgroup(css
);
226 __dev_exception_clean(dev_cgroup
);
230 #define DEVCG_ALLOW 1
237 static void set_access(char *acc
, short access
)
240 memset(acc
, 0, ACCLEN
);
241 if (access
& DEVCG_ACC_READ
)
243 if (access
& DEVCG_ACC_WRITE
)
245 if (access
& DEVCG_ACC_MKNOD
)
249 static char type_to_char(short type
)
251 if (type
== DEVCG_DEV_ALL
)
253 if (type
== DEVCG_DEV_CHAR
)
255 if (type
== DEVCG_DEV_BLOCK
)
260 static void set_majmin(char *str
, unsigned m
)
265 sprintf(str
, "%u", m
);
268 static int devcgroup_seq_show(struct seq_file
*m
, void *v
)
270 struct dev_cgroup
*devcgroup
= css_to_devcgroup(seq_css(m
));
271 struct dev_exception_item
*ex
;
272 char maj
[MAJMINLEN
], min
[MAJMINLEN
], acc
[ACCLEN
];
276 * To preserve the compatibility:
277 * - Only show the "all devices" when the default policy is to allow
278 * - List the exceptions in case the default policy is to deny
279 * This way, the file remains as a "whitelist of devices"
281 if (devcgroup
->behavior
== DEVCG_DEFAULT_ALLOW
) {
282 set_access(acc
, DEVCG_ACC_MASK
);
285 seq_printf(m
, "%c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL
),
288 list_for_each_entry_rcu(ex
, &devcgroup
->exceptions
, list
) {
289 set_access(acc
, ex
->access
);
290 set_majmin(maj
, ex
->major
);
291 set_majmin(min
, ex
->minor
);
292 seq_printf(m
, "%c %s:%s %s\n", type_to_char(ex
->type
),
302 * match_exception - iterates the exception list trying to find a complete match
303 * @exceptions: list of exceptions
304 * @type: device type (DEVCG_DEV_BLOCK or DEVCG_DEV_CHAR)
305 * @major: device file major number, ~0 to match all
306 * @minor: device file minor number, ~0 to match all
307 * @access: permission mask (DEVCG_ACC_READ, DEVCG_ACC_WRITE, DEVCG_ACC_MKNOD)
309 * It is considered a complete match if an exception is found that will
310 * contain the entire range of provided parameters.
312 * Return: true in case it matches an exception completely
314 static bool match_exception(struct list_head
*exceptions
, short type
,
315 u32 major
, u32 minor
, short access
)
317 struct dev_exception_item
*ex
;
319 list_for_each_entry_rcu(ex
, exceptions
, list
) {
320 if ((type
& DEVCG_DEV_BLOCK
) && !(ex
->type
& DEVCG_DEV_BLOCK
))
322 if ((type
& DEVCG_DEV_CHAR
) && !(ex
->type
& DEVCG_DEV_CHAR
))
324 if (ex
->major
!= ~0 && ex
->major
!= major
)
326 if (ex
->minor
!= ~0 && ex
->minor
!= minor
)
328 /* provided access cannot have more than the exception rule */
329 if (access
& (~ex
->access
))
337 * match_exception_partial - iterates the exception list trying to find a partial match
338 * @exceptions: list of exceptions
339 * @type: device type (DEVCG_DEV_BLOCK or DEVCG_DEV_CHAR)
340 * @major: device file major number, ~0 to match all
341 * @minor: device file minor number, ~0 to match all
342 * @access: permission mask (DEVCG_ACC_READ, DEVCG_ACC_WRITE, DEVCG_ACC_MKNOD)
344 * It is considered a partial match if an exception's range is found to
345 * contain *any* of the devices specified by provided parameters. This is
346 * used to make sure no extra access is being granted that is forbidden by
347 * any of the exception list.
349 * Return: true in case the provided range mat matches an exception completely
351 static bool match_exception_partial(struct list_head
*exceptions
, short type
,
352 u32 major
, u32 minor
, short access
)
354 struct dev_exception_item
*ex
;
356 list_for_each_entry_rcu(ex
, exceptions
, list
) {
357 if ((type
& DEVCG_DEV_BLOCK
) && !(ex
->type
& DEVCG_DEV_BLOCK
))
359 if ((type
& DEVCG_DEV_CHAR
) && !(ex
->type
& DEVCG_DEV_CHAR
))
362 * We must be sure that both the exception and the provided
363 * range aren't masking all devices
365 if (ex
->major
!= ~0 && major
!= ~0 && ex
->major
!= major
)
367 if (ex
->minor
!= ~0 && minor
!= ~0 && ex
->minor
!= minor
)
370 * In order to make sure the provided range isn't matching
371 * an exception, all its access bits shouldn't match the
372 * exception's access bits
374 if (!(access
& ex
->access
))
382 * verify_new_ex - verifies if a new exception is allowed by parent cgroup's permissions
383 * @dev_cgroup: dev cgroup to be tested against
384 * @refex: new exception
385 * @behavior: behavior of the exception's dev_cgroup
387 * This is used to make sure a child cgroup won't have more privileges
390 static bool verify_new_ex(struct dev_cgroup
*dev_cgroup
,
391 struct dev_exception_item
*refex
,
392 enum devcg_behavior behavior
)
396 RCU_LOCKDEP_WARN(!rcu_read_lock_held() &&
397 !lockdep_is_held(&devcgroup_mutex
),
398 "device_cgroup:verify_new_ex called without proper synchronization");
400 if (dev_cgroup
->behavior
== DEVCG_DEFAULT_ALLOW
) {
401 if (behavior
== DEVCG_DEFAULT_ALLOW
) {
403 * new exception in the child doesn't matter, only
404 * adding extra restrictions
409 * new exception in the child will add more devices
410 * that can be acessed, so it can't match any of
411 * parent's exceptions, even slightly
413 match
= match_exception_partial(&dev_cgroup
->exceptions
,
425 * Only behavior == DEVCG_DEFAULT_DENY allowed here, therefore
426 * the new exception will add access to more devices and must
427 * be contained completely in an parent's exception to be
430 match
= match_exception(&dev_cgroup
->exceptions
, refex
->type
,
431 refex
->major
, refex
->minor
,
435 /* parent has an exception that matches the proposed */
445 * when adding a new allow rule to a device exception list, the rule
446 * must be allowed in the parent device
448 static int parent_has_perm(struct dev_cgroup
*childcg
,
449 struct dev_exception_item
*ex
)
451 struct dev_cgroup
*parent
= css_to_devcgroup(childcg
->css
.parent
);
455 return verify_new_ex(parent
, ex
, childcg
->behavior
);
459 * parent_allows_removal - verify if it's ok to remove an exception
460 * @childcg: child cgroup from where the exception will be removed
461 * @ex: exception being removed
463 * When removing an exception in cgroups with default ALLOW policy, it must
464 * be checked if removing it will give the child cgroup more access than the
467 * Return: true if it's ok to remove exception, false otherwise
469 static bool parent_allows_removal(struct dev_cgroup
*childcg
,
470 struct dev_exception_item
*ex
)
472 struct dev_cgroup
*parent
= css_to_devcgroup(childcg
->css
.parent
);
477 /* It's always allowed to remove access to devices */
478 if (childcg
->behavior
== DEVCG_DEFAULT_DENY
)
482 * Make sure you're not removing part or a whole exception existing in
485 return !match_exception_partial(&parent
->exceptions
, ex
->type
,
486 ex
->major
, ex
->minor
, ex
->access
);
490 * may_allow_all - checks if it's possible to change the behavior to
491 * allow based on parent's rules.
492 * @parent: device cgroup's parent
493 * returns: != 0 in case it's allowed, 0 otherwise
495 static inline int may_allow_all(struct dev_cgroup
*parent
)
499 return parent
->behavior
== DEVCG_DEFAULT_ALLOW
;
503 * revalidate_active_exceptions - walks through the active exception list and
504 * revalidates the exceptions based on parent's
505 * behavior and exceptions. The exceptions that
506 * are no longer valid will be removed.
507 * Called with devcgroup_mutex held.
508 * @devcg: cgroup which exceptions will be checked
510 * This is one of the three key functions for hierarchy implementation.
511 * This function is responsible for re-evaluating all the cgroup's active
512 * exceptions due to a parent's exception change.
513 * Refer to Documentation/cgroups/devices.txt for more details.
515 static void revalidate_active_exceptions(struct dev_cgroup
*devcg
)
517 struct dev_exception_item
*ex
;
518 struct list_head
*this, *tmp
;
520 list_for_each_safe(this, tmp
, &devcg
->exceptions
) {
521 ex
= container_of(this, struct dev_exception_item
, list
);
522 if (!parent_has_perm(devcg
, ex
))
523 dev_exception_rm(devcg
, ex
);
528 * propagate_exception - propagates a new exception to the children
529 * @devcg_root: device cgroup that added a new exception
530 * @ex: new exception to be propagated
532 * returns: 0 in case of success, != 0 in case of error
534 static int propagate_exception(struct dev_cgroup
*devcg_root
,
535 struct dev_exception_item
*ex
)
537 struct cgroup_subsys_state
*pos
;
542 css_for_each_descendant_pre(pos
, &devcg_root
->css
) {
543 struct dev_cgroup
*devcg
= css_to_devcgroup(pos
);
546 * Because devcgroup_mutex is held, no devcg will become
547 * online or offline during the tree walk (see on/offline
548 * methods), and online ones are safe to access outside RCU
549 * read lock without bumping refcnt.
551 if (pos
== &devcg_root
->css
|| !is_devcg_online(devcg
))
557 * in case both root's behavior and devcg is allow, a new
558 * restriction means adding to the exception list
560 if (devcg_root
->behavior
== DEVCG_DEFAULT_ALLOW
&&
561 devcg
->behavior
== DEVCG_DEFAULT_ALLOW
) {
562 rc
= dev_exception_add(devcg
, ex
);
567 * in the other possible cases:
568 * root's behavior: allow, devcg's: deny
569 * root's behavior: deny, devcg's: deny
570 * the exception will be removed
572 dev_exception_rm(devcg
, ex
);
574 revalidate_active_exceptions(devcg
);
584 * Modify the exception list using allow/deny rules.
585 * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD
586 * so we can give a container CAP_MKNOD to let it create devices but not
587 * modify the exception list.
588 * It seems likely we'll want to add a CAP_CONTAINER capability to allow
589 * us to also grant CAP_SYS_ADMIN to containers without giving away the
590 * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN
592 * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting
593 * new access is only allowed if you're in the top-level cgroup, or your
594 * parent cgroup has the access you're asking for.
596 static int devcgroup_update_access(struct dev_cgroup
*devcgroup
,
597 int filetype
, char *buffer
)
600 char temp
[12]; /* 11 + 1 characters needed for a u32 */
602 struct dev_exception_item ex
;
603 struct dev_cgroup
*parent
= css_to_devcgroup(devcgroup
->css
.parent
);
605 if (!capable(CAP_SYS_ADMIN
))
608 memset(&ex
, 0, sizeof(ex
));
615 if (css_has_online_children(&devcgroup
->css
))
618 if (!may_allow_all(parent
))
620 dev_exception_clean(devcgroup
);
621 devcgroup
->behavior
= DEVCG_DEFAULT_ALLOW
;
625 rc
= dev_exceptions_copy(&devcgroup
->exceptions
,
626 &parent
->exceptions
);
631 if (css_has_online_children(&devcgroup
->css
))
634 dev_exception_clean(devcgroup
);
635 devcgroup
->behavior
= DEVCG_DEFAULT_DENY
;
642 ex
.type
= DEVCG_DEV_BLOCK
;
645 ex
.type
= DEVCG_DEV_CHAR
;
657 } else if (isdigit(*b
)) {
658 memset(temp
, 0, sizeof(temp
));
659 for (count
= 0; count
< sizeof(temp
) - 1; count
++) {
665 rc
= kstrtou32(temp
, 10, &ex
.major
);
679 } else if (isdigit(*b
)) {
680 memset(temp
, 0, sizeof(temp
));
681 for (count
= 0; count
< sizeof(temp
) - 1; count
++) {
687 rc
= kstrtou32(temp
, 10, &ex
.minor
);
695 for (b
++, count
= 0; count
< 3; count
++, b
++) {
698 ex
.access
|= DEVCG_ACC_READ
;
701 ex
.access
|= DEVCG_ACC_WRITE
;
704 ex
.access
|= DEVCG_ACC_MKNOD
;
718 * If the default policy is to allow by default, try to remove
719 * an matching exception instead. And be silent about it: we
720 * don't want to break compatibility
722 if (devcgroup
->behavior
== DEVCG_DEFAULT_ALLOW
) {
723 /* Check if the parent allows removing it first */
724 if (!parent_allows_removal(devcgroup
, &ex
))
726 dev_exception_rm(devcgroup
, &ex
);
730 if (!parent_has_perm(devcgroup
, &ex
))
732 rc
= dev_exception_add(devcgroup
, &ex
);
736 * If the default policy is to deny by default, try to remove
737 * an matching exception instead. And be silent about it: we
738 * don't want to break compatibility
740 if (devcgroup
->behavior
== DEVCG_DEFAULT_DENY
)
741 dev_exception_rm(devcgroup
, &ex
);
743 rc
= dev_exception_add(devcgroup
, &ex
);
747 /* we only propagate new restrictions */
748 rc
= propagate_exception(devcgroup
, &ex
);
756 static ssize_t
devcgroup_access_write(struct kernfs_open_file
*of
,
757 char *buf
, size_t nbytes
, loff_t off
)
761 mutex_lock(&devcgroup_mutex
);
762 retval
= devcgroup_update_access(css_to_devcgroup(of_css(of
)),
763 of_cft(of
)->private, strstrip(buf
));
764 mutex_unlock(&devcgroup_mutex
);
765 return retval
?: nbytes
;
768 static struct cftype dev_cgroup_files
[] = {
771 .write
= devcgroup_access_write
,
772 .private = DEVCG_ALLOW
,
776 .write
= devcgroup_access_write
,
777 .private = DEVCG_DENY
,
781 .seq_show
= devcgroup_seq_show
,
782 .private = DEVCG_LIST
,
787 struct cgroup_subsys devices_cgrp_subsys
= {
788 .css_alloc
= devcgroup_css_alloc
,
789 .css_free
= devcgroup_css_free
,
790 .css_online
= devcgroup_online
,
791 .css_offline
= devcgroup_offline
,
792 .legacy_cftypes
= dev_cgroup_files
,
796 * __devcgroup_check_permission - checks if an inode operation is permitted
797 * @dev_cgroup: the dev cgroup to be tested against
799 * @major: device major number
800 * @minor: device minor number
801 * @access: combination of DEVCG_ACC_WRITE, DEVCG_ACC_READ and DEVCG_ACC_MKNOD
803 * returns 0 on success, -EPERM case the operation is not permitted
805 int __devcgroup_check_permission(short type
, u32 major
, u32 minor
,
808 struct dev_cgroup
*dev_cgroup
;
812 dev_cgroup
= task_devcgroup(current
);
813 if (dev_cgroup
->behavior
== DEVCG_DEFAULT_ALLOW
)
814 /* Can't match any of the exceptions, even partially */
815 rc
= !match_exception_partial(&dev_cgroup
->exceptions
,
816 type
, major
, minor
, access
);
818 /* Need to match completely one exception to be allowed */
819 rc
= match_exception(&dev_cgroup
->exceptions
, type
, major
,
828 EXPORT_SYMBOL_GPL(__devcgroup_check_permission
);