<listitem>
<para>Control access to specific device nodes by the
executed processes. Takes two space-separated strings: a
- device node path (such as <filename>/dev/null</filename>)
- followed by a combination of <constant>r</constant>,
- <constant>w</constant>, <constant>m</constant> to control
+ device node specifier followed by a combination of
+ <constant>r</constant>, <constant>w</constant>,
+ <constant>m</constant> to control
<emphasis>r</emphasis>eading, <emphasis>w</emphasis>riting,
- or creation of the specific device node by the unit
+ or creation of the specific device node(s) by the unit
(<emphasis>m</emphasis>knod), respectively. This controls
the <literal>devices.allow</literal> and
<literal>devices.deny</literal> control group
- attributes. For details about these control group attributes,
- see <ulink
+ attributes. For details about these control group
url="https://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para>
+
+ <para>The device node specifier is either a path to a device
+ node in the file system, starting with
+ <filename>/dev/</filename>, or a string starting with either
+ <literal>char-</literal> or <literal>block-</literal>
+ followed by a device group name, as listed in
+ <filename>/proc/devices</filename>. The latter is useful to
+ whitelist all current and future devices belonging to a
+ specific device group at once. Examples:
+ <filename>/dev/sda5</filename> is a path to a device node,
+ referring to an ATA or SCSI block
+ device. <literal>char-pts</literal> and
+ <literal>char-alsa</literal> are specifiers for all pseudo
+ TTYs and all ALSA sound devices, respectively.</para>
</listitem>
</varlistentry>
return r;
}
+static int whitelist_major(const char *path, const char *name, char type, const char *acc) {
+ _cleanup_fclose_ FILE *f = NULL;
+ char line[LINE_MAX];
+ bool good = false;
+ int r;
+
+ assert(path);
+ assert(acc);
+ assert(type == 'b' || type == 'c');
+
+ f = fopen("/proc/devices", "re");
+ if (!f) {
+ log_warning("Cannot open /proc/devices to resolve %s (%c): %m", name, type);
+ return -errno;
+ }
+
+ FOREACH_LINE(line, f, goto fail) {
+ char buf[2+DECIMAL_STR_MAX(unsigned)+3+4], *p, *w;
+ unsigned maj;
+
+ truncate_nl(line);
+
+ if (type == 'c' && streq(line, "Character devices:")) {
+ good = true;
+ continue;
+ }
+
+ if (type == 'b' && streq(line, "Block devices:")) {
+ good = true;
+ continue;
+ }
+
+ if (isempty(line)) {
+ good = false;
+ continue;
+ }
+
+ if (!good)
+ continue;
+
+ p = strstrip(line);
+
+ w = strpbrk(p, WHITESPACE);
+ if (!w)
+ continue;
+ *w = 0;
+
+ r = safe_atou(p, &maj);
+ if (r < 0)
+ continue;
+ if (maj <= 0)
+ continue;
+
+ w++;
+ w += strspn(w, WHITESPACE);
+ if (!streq(w, name))
+ continue;
+
+ sprintf(buf,
+ "%c %u:* %s",
+ type,
+ maj,
+ acc);
+
+ r = cg_set_attribute("devices", path, "devices.allow", buf);
+ if (r < 0)
+ log_warning("Failed to set devices.allow on %s: %s", path, strerror(-r));
+ }
+
+ return 0;
+
+fail:
+ log_warning("Failed to read /proc/devices: %m");
+ return -errno;
+}
+
void cgroup_context_apply(CGroupContext *c, CGroupControllerMask mask, const char *path) {
int r;
continue;
acc[k++] = 0;
- whitelist_device(path, a->path, acc);
+
+ if (startswith(a->path, "/dev/"))
+ whitelist_device(path, a->path, acc);
+ else if (startswith(a->path, "block-"))
+ whitelist_major(path, a->path + 6, 'b', acc);
+ else if (startswith(a->path, "char-"))
+ whitelist_major(path, a->path + 5, 'c', acc);
+ else
+ log_debug("Ignoring device %s while writing cgroup attribute.", a->path);
}
}
}
while ((r = sd_bus_message_read(message, "(ss)", &path, &rwm)) > 0) {
- if (!path_startswith(path, "/dev"))
- return sd_bus_error_set_errnof(error, EINVAL, "DeviceAllow= requires device node");
+ if ((!startswith(path, "/dev/") &&
+ !startswith(path, "block-") &&
+ !startswith(path, "char-")) ||
+ strpbrk(path, WHITESPACE))
+ return sd_bus_error_set_errnof(error, EINVAL, "DeviceAllow= requires device node");
if (isempty(rwm))
rwm = "rwm";
if (!path)
return log_oom();
- if (!path_startswith(path, "/dev")) {
- log_syntax(unit, LOG_ERR, filename, line, EINVAL,
- "Invalid device node path '%s'. Ignoring.", path);
+ if (!startswith(path, "/dev/") &&
+ !startswith(path, "block-") &&
+ !startswith(path, "char-")) {
+ log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Invalid device node path '%s'. Ignoring.", path);
return 0;
}
m = "rwm";
if (!in_charset(m, "rwm")) {
- log_syntax(unit, LOG_ERR, filename, line, EINVAL,
- "Invalid device rights '%s'. Ignoring.", m);
+ log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Invalid device rights '%s'. Ignoring.", m);
return 0;
}
~ianmdlvl / elogind.git / commitdiff