7

Environment:

Steps to reproduce:

  1. Create a devices new policy
cd /sys/fs/cgroup/devices
mkdir custom_poc
  1. Verify which device is being used as tty (multiple methods):

  • Using tty:

    root@centos8# tty
/dev/pts/0

  • Getting the process STDIN:

    ls -l /proc/$$/fd/{0,1,2}
lrwx------. 1 root root 64 Mar  5 11:25 /proc/2446/fd/0 -> /dev/pts/0
lrwx------. 1 root root 64 Mar  5 11:25 /proc/2446/fd/1 -> /dev/pts/0
lrwx------. 1 root root 64 Mar  5 11:25 /proc/2446/fd/2 -> /dev/pts/0
  1. Add tty device to devices.deny:

  • Check device major and minor numbers:

    ls -l /dev/pts/0
crw--w----. 1 vagrant tty 136, 0 Mar  5 11:28 /dev/pts/0

  • Deny access:

    root@centos8# echo 'c 136:0 w' > /sys/fs/cgroup/devices/custom_poc/devices.deny
root@centos8# echo $$ > tasks
root@centos8# echo 'a' > /dev/pts/0
-bash: /dev/pts/0: Operation not permitted

  • However, my Bash terminal works just fine even after removing access to STDIN device. Here is the output of a simple whoami:

    root@centos8# whoami
root
Improve this question

1 Answer 1

Reset to default
15

From the kernel doc:

Implement a cgroup to track and enforce open and mknod restrictions on device files.

The restrictions are only applied upon opening device files. That's the same as for most other access control permissions such as the standard Unix permissions.

Once you have opened a file in read+write mode, you can read and write from it. Access control are not applied upon each read() and write(), that would add too much overhead, and that would likely cause very surprising behaviours in applications. It would be difficult to enforce as well when a file is mmapped() in memory for instance.

In your case, the /dev/pts/0 was opened (likely by one of its parent, maybe a terminal emulator, maybe getty, maybe sshd..., and the shell inherited the file descriptor) before you applied the restriction.

Similarly, upon forking a process to execute whoami, the child inherits the fds and those fds are preserved upon executing whoami and whoami just does a write(1, "root\n", 5) without ever opening the device file.

In echo a > /dev/pts/0 however, the shell does try to open the file to perform that redirection and is being prevented from doing so at that point.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.