git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Fri, 29 Jun 2018 10:09:29 +0000 (12:09 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 29 Nov 2018 19:21:39 +0000 (20:21 +0100)
commit	8e8b5d2e6d91180a57844b09cdbdcbc1fa466bfa
tree	d0b8e778e41a7f7f57b176b8be185a6e71e224df	tree \| snapshot
parent	74c48bf5a8005f20dc4ef7b7d05b96572d880b25	commit \| diff

cgroups: beef up DeviceAllow= syntax a bit

Previously we'd allow pattern expressions such as "char-input" to match
all input devices. Internally, this would look up the right major to
test in /proc/devices. With this commit the syntax is slightly extended:

- "char-*" can be used to match any kind of character device, and
  similar "block-*. This expression would work previously already, but
  instead of actually installing a wildcard match it would install many
  individual matches for everything listed in /proc/devices.

- "char-<MAJOR>" with "<MAJOR>" being a numerical parameter works now
  too. This allows clients to install whitelist items by specifying the
  major directly.

The main reason to add these is to provide limited compat support for
clients that for some reason contain whitelists with major/minor numbers
(such as OCI containers).

src/core/bpf-devices.c		diff \| blob \| blame \| history
src/core/bpf-devices.h		diff \| blob \| blame \| history
src/core/cgroup.c		diff \| blob \| blame \| history