From bb837ae8a3380aeac126eac70c4b63a8d61d0480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Koutn=C3=BD?= Date: Wed, 12 Jul 2023 20:15:02 +0200 Subject: [PATCH] config-linux: Deprecate device access denial MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Separate allow/deny lists are specific to device controller existing only in cgroup v1. Current semantics for devices that don't match neither allow nor deny is confusing. cgroup v2 implements access control on the default hierarchy with BPF hooks. Follow the approach of systemd (refer to systemd.resource(5)) with DevicePolicy=strict, i.e. consider all devices denied by default and add only entries for devices that should be allowed. This will simplify the job for runtimes that use systemd for container cgroup configuration. For starters, mention that "allow" entries that don't stick to the this approach are deprecated. Next step would be removal of the "allow" attribute and implicit denial on all devices. Signed-off-by: Michal Koutný --- config-linux.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config-linux.md b/config-linux.md index f0261415e..cf6218266 100644 --- a/config-linux.md +++ b/config-linux.md @@ -304,7 +304,8 @@ The runtime MUST apply entries in the listed order. Each entry has the following structure: -* **`allow`** *(boolean, REQUIRED)* - whether the entry is allowed or denied. +* **`allow`** *(boolean, OPTIONAL, **DEPRECATED**)* - whether the entry is allowed or denied. + Value of `false` is deprecated if `major,minor` is specified. Missing entry is interpretted as `true` -- relying on default denial for all devices. * **`type`** *(string, OPTIONAL)* - type of device: `a` (all), `c` (char), or `b` (block). Unset values mean "all", mapping to `a`. * **`major, minor`** *(int64, OPTIONAL)* - [major, minor numbers][devices] for the device.