)]}' { "log": [ { "commit": "29486df325e1fe6e1764afcb19e3370804c2b002", "tree": "d69a96bb829940f3ae5171fde481edb20a9e468a", "parents": [ "28fd5dfc12bde391981dfdcf20755952b6e916af" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Tue Apr 29 01:00:14 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:10 2008 -0700" }, "message": "cgroups: introduce cft-\u003eread_seq()\n\nIntroduce a read_seq() helper in cftype, which uses seq_file to print out\nlists. Use it in the devices cgroup. Also split devices.allow into two\nfiles, so now devices.deny and devices.allow are the ones to use to manipulate\nthe whitelist, while devices.list outputs the cgroup\u0027s current whitelist.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Paul Menage \u003cmenage@google.com\u003e\nCc: Balbir Singh \u003cbalbir@in.ibm.com\u003e\nCc: KAMEZAWA Hiroyuki \u003ckamezawa.hiroyu@jp.fujitsu.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "08ce5f16ee466ffc5bf243800deeecd77d9eaf50", "tree": "8fb921137a677d463f11727dab7e683db426b810", "parents": [ "d447ea2f30ec60370ddb99a668e5ac12995f043d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Tue Apr 29 01:00:10 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:09 2008 -0700" }, "message": "cgroups: implement device whitelist\n\nImplement a cgroup to track and enforce open and mknod restrictions on device\nfiles. A device cgroup associates a device access whitelist with each cgroup.\n A whitelist entry has 4 fields. \u0027type\u0027 is a (all), c (char), or b (block).\n\u0027all\u0027 means it applies to all types and all major and minor numbers. Major\nand minor are either an integer or * for all. Access is a composition of r\n(read), w (write), and m (mknod).\n\nThe root device cgroup starts with rwm to \u0027all\u0027. A child devcg gets a copy of\nthe parent. Admins can then remove devices from the whitelist or add new\nentries. A child cgroup can never receive a device access which is denied its\nparent. However when a device access is removed from a parent it will not\nalso be removed from the child(ren).\n\nAn entry is added using devices.allow, and removed using\ndevices.deny. For instance\n\n\techo \u0027c 1:3 mr\u0027 \u003e /cgroups/1/devices.allow\n\nallows cgroup 1 to read and mknod the device usually known as\n/dev/null. Doing\n\n\techo a \u003e /cgroups/1/devices.deny\n\nwill remove the default \u0027a *:* mrw\u0027 entry.\n\nCAP_SYS_ADMIN is needed to change permissions or move another task to a new\ncgroup. A cgroup may not be granted more permissions than the cgroup\u0027s parent\nhas. Any task can move itself between cgroups. This won\u0027t be sufficient, but\nwe can decide the best way to adequately restrict movement later.\n\n[akpm@linux-foundation.org: coding-style fixes]\n[akpm@linux-foundation.org: fix may-be-used-uninitialized warning]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nLooks-good-to: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nCc: Daniel Hokka Zakrisson \u003cdaniel@hozac.com\u003e\nCc: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: Balbir Singh \u003cbalbir@in.ibm.com\u003e\nCc: KAMEZAWA Hiroyuki \u003ckamezawa.hiroyu@jp.fujitsu.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" } ] }