Chinese translated version of Documentation/cgroups/devices
If you have any comment or update to the content, please contact the
original document maintainer directly. However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help. Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.
Chinese maintainer:Hu Feijun <935620544@qq.com>
---------------------------------------------------------------------
Documentation/acpi/debug 的中文翻译
如果想评论或更新本文的内容,请直接联系原文档的维护者。如果你使用英文
交流有困难的话,也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题,请联系中文版维护者。
中文版维护者: 胡飞军 Hu Feijun <935620544@qq.com>
中文版翻译者: 胡飞军 Hu Feijun <935620544@qq.com>
中文版校译者: 胡飞军 Hu Feijun <935620544@qq.com>
以下为正文
---------------------------------------------------------------------
Device Whitelist Controller
设备白名单控制器
1. Description:
1.描述:
Implement a cgroup to track and enforce open and mknod restrictions
on device files. A device cgroup associates a device access
whitelist with each cgroup. A whitelist entry has 4 fields.
'type' is a (all), c (char), or b (block). 'all' means it applies
to all types and all major and minor numbers. Major and minor are
either an integer or * for all. Access is a composition of r
(read), w (write), and m (mknod).
应用cgroup来追踪和执行对于设备文件的打开和mknod限制。设备cgroup将
设备访问白名单与每个cgroup相关联。每个白名单入口有4个字段。'type'
是a (all), c (char), 或 b (block).‘all’表示适用于所有类型,所有主要
和次要数据。主要和次要数据可以是整数也可以是*。Access是r(read),
w (write), 和 m (mknod)的组合。
The root device cgroup starts with rwm to 'all'. A child device
cgroup gets a copy of the parent. Administrators can then remove
devices from the whitelist or add new entries. A child cgroup can
never receive a device access which is denied by its parent.
根设备cgroup以类型'all',途径rwm启动。子设备cgroup是父设备的一个拷贝。
管理员可以从设备访问白名单上将设备移除或增加新的。子cgroup无法
获得已被父cgroup拒绝的设备访问。
2. User Interface
An entry is added using devices.allow, and removed using
devices.deny. For instance
echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow
allows cgroup 1 to read and mknod the device usually known as
/dev/null. Doing
echo a > /sys/fs/cgroup/1/devices.deny
will remove the default 'a *:* rwm' entry. Doing
echo a > /sys/fs/cgroup/1/devices.allow
will add the 'a *:* rwm' entry to the whitelist.
2.用户接口
使用devices.allow添加条目,使用devices.deny移除设备,
例如:echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow
这条命令使cgrouup 1 能够读取和mknod设备,这个设备通常为/dev/null。
命令echo a > /sys/fs/cgroup/1/devices.deny将默认的'a *:* rwm'条目移除。
命令echo a > /sys/fs/cgroup/1/devices.allow将'a *:* rwm'条目添加到白名单上。
3. Security
Any task can move itself between cgroups. This clearly won't
suffice, but we can decide the best way to adequately restrict
movement as people get some experience with this. We may just want
to require CAP_SYS_ADMIN, which at least is a separate bit from
CAP_MKNOD. We may want to just refuse moving to a cgroup which
isn't a descendant of the current one. Or we may want to use
CAP_MAC_ADMIN, since we really are trying to lock down root.
CAP_SYS_ADMIN is needed to modify the whitelist or move another
task to a new cgroup. (Again we'll probably want to change that).
A cgroup may not be granted more permissions than the cgroup's
parent has.
3.安全性
任何任务都可以将其自身在cgroup之间移动。明显这是不足的,但是
当人们有了经验后可以选择最佳方法来充分地限制移动。也许我们只
是想要获得CAP_SYS_ADMIN,这至少是一个与CAP_MKNOD分离的位。我们
可能只是拒绝移动到不是当前cgroup的字cgroup中。又或者我们想使
用CAP_MAC_ADMIN,因为我们确实正试图将root锁定。
需要使用CAP_SYS_ADMIN来更新白名单或将另一人任务移入新的cgroup。
(我们也可能想要改变它)。
子cgroup可能并没有比父cgroup授予更多的权限。
4. Hierarchy
device cgroups maintain hierarchy by making sure a cgroup never has more
access permissions than its parent. Every time an entry is written to
a cgroup's devices.deny file, all its children will have that entry removed
from their whitelist and all the locally set whitelist entries will be
re-evaluated. In case one of the locally set whitelist entries would provide
more access than the cgroup's parent, it'll be removed from the whitelist.
4.等级限制
确保子cgroup永远无法获得比父cgroup更多的访问权限是维持设备cgroup等级限制的
方法。当一个条目写入cgroup的 devices.deny文件是,它的所有的子cgroup将这个入条目
从它们的白名单中移除,并且所有的本地设置的白名单条目都会被重新评估。万一
有一个本地设置的白名单条目提供了比父cgroup更多的访问途径,那么这个字cgroup将
被移出白名单
Example:
A
/ \
B
group behavior exceptions
A allow "b 8:* rwm", "c 116:1 rw"
B deny "c 1:3 rwm", "c 116:2 rwm", "b 3:* rwm"
If a device is denied in group A:
# echo "c 116:* r" > A/devices.deny
it'll propagate down and after revalidating B's entries, the whitelist entry
"c 116:2 rwm" will be removed:
group whitelist entries denied devices
A all "b 8:* rwm", "c 116:* rw"
B "c 1:3 rwm", "b 3:* rwm" all the rest
In case parent's exceptions change and local exceptions are not allowed
anymore, they'll be deleted.
例子:
A
/ \
B
group behavior exceptions
A allow "b 8:* rwm", "c 116:1 rw"
B deny "c 1:3 rwm", "c 116:2 rwm", "b 3:* rwm"
如果设备被组A拒绝:
# echo "c 116:* r" > A/devices.deny
它会向下传播,在B的条目重新设置为有效后,白名单条目"c 116:2 rwm"将会被移除。
group whitelist entries denied devices
A all "b 8:* rwm", "c 116:* rw"
B "c 1:3 rwm", "b 3:* rwm" all the rest
万一父cgroup的异常情况改变了,那么本地异常情况将不被允许,它们将会被删除。
Notice that new whitelist entries will not be propagated:
A
/ \
B
group whitelist entries denied devices
A "c 1:3 rwm", "c 1:5 r" all the rest
B "c 1:3 rwm", "c 1:5 r" all the rest
when adding "c *:3 rwm":
# echo "c *:3 rwm" >A/devices.allow
the result:
group whitelist entries denied devices
A "c *:3 rwm", "c 1:5 r" all the rest
B "c 1:3 rwm", "c 1:5 r" all the rest
but now it'll be possible to add new entries to B:
# echo "c 2:3 rwm" >B/devices.allow
# echo "c 50:3 r" >B/devices.allow
or even
# echo "c *:3 rwm" >B/devices.allow
Allowing or denying all by writing 'a' to devices.allow or devices.deny will
not be possible once the device cgroups has children.
需要注意的是新的白名单条目并不会传播:
A
/ \
B
group whitelist entries denied devices
A "c 1:3 rwm", "c 1:5 r" all the rest
B "c 1:3 rwm", "c 1:5 r" all the rest
当添加条目"c *:3 rwm":
# echo "c *:3 rwm" >A/devices.allow
结果为:
group whitelist entries denied devices
A "c *:3 rwm", "c 1:5 r" all the rest
B "c 1:3 rwm", "c 1:5 r" all the rest
但是现在可以向B添加新条目:
# echo "c 2:3 rwm" >B/devices.allow
# echo "c 50:3 r" >B/devices.allow
甚至可以:
# echo "c *:3 rwm" >B/devices.allow
当设备cgroup有子cgroup时,通过向devices.allow或devices.deny will写入'a'来
允许或拒绝是不可行的。
4.1 Hierarchy (internal implementation)
device cgroups is implemented internally using a behavior (ALLOW, DENY) and a
list of exceptions. The internal state is controlled using the same user
interface to preserve compatibility with the previous whitelist-only
implementation. Removal or addition of exceptions that will reduce the access
to devices will be propagated down the hierarchy.
For every propagated exception, the effective rules will be re-evaluated based
on current parent's access rules.
4.1等级限制(内部应用)
设备cgroup的内部应用是通过使用某些行为(ALLOW, DENY)和一组exceptions实现的。
内部状态是由相同的用户接口控制的,以便与先前白名单允许的cgroup保持兼容性。会使
设备访问途径减少的exceptions的移除或增加将会向下传递。对于每个传递的exception,需
要在现有的访问规则上重新评估有效的规则。
2491
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
