Originally posted by Djhg2000
View Post
Originally posted by Djhg2000
View Post
Originally posted by Djhg2000
View Post
Originally posted by Djhg2000
View Post
Originally posted by Djhg2000
View Post
The blotter is the expensive version. The cheaper version is write in wax then basically scribble over with your normal quill . This also leads to numbers being written strikethrough being either negative or incorrect. Reason why you need to initial anything your crossed out as wrong in accountancy. Early computer accountancy programs also used either inverted font or strike-though for negative that is just a continuation from 1400 to fairly modern day(yes inside 30 years of current day). .
Originally posted by Djhg2000
View Post
Lets start with when it was kind of right to use "use for device whitelisting".
Code:
[B]Device Whitelist Controller[/B] [B]1. Description[/B] Implement a cgroup to track and enforce open and mknod restrictions on device files. A device cgroup associates a device access whitelist with each cgroup. A whitelist entry has 4 fields. ‘type’ is a (all), c (char), or b (block). ‘all’ means it applies to all types and all major and minor numbers. Major and minor are either an integer or * for all. Access is a composition of r (read), w (write), and m (mknod). The root device cgroup starts with rwm to ‘all’. A child device cgroup gets a copy of the parent. Administrators can then remove devices from the whitelist or add new entries. A child cgroup can never receive a device access which is denied by its parent. [B]2. User Interface[/B] An entry is added using devices.allow, and removed using devices.deny. For instance: echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow allows cgroup 1 to read and mknod the device usually known as /dev/null. Doing: echo a > /sys/fs/cgroup/1/devices.deny will remove the default ‘a [I]:[/I] rwm’ entry. Doing: echo a > /sys/fs/cgroup/1/devices.allow will add the ‘a [I]:[/I] rwm’ entry to the whitelist.
Code:
A child cgroup can never receive a device access which is denied by its parent.
Now lets look at the cgroup v2 where we now find something different that means "use for device access control" is correct and "use for device whitelisting" is now wrong and the weakness has now been corrected.
Code:
[B]Device controller[/B] Device controller manages access to device files. It includes both creation of new device files (using mknod), and access to the existing device files. Cgroup v2 device controller has no interface files and is implemented on top of cgroup BPF. To control access to device files, a user may create bpf programs of the BPF_CGROUP_DEVICE type and attach them to cgroups. On an attempt to access a device file, corresponding BPF programs will be executed, and depending on the return value the attempt will succeed or fail with -EPERM. A BPF_CGROUP_DEVICE program takes a pointer to the bpf_cgroup_dev_ctx structure, which describes the device access attempt: access type (mknod/read/write) and device (type, major and minor numbers). If the program returns 0, the attempt fails with -EPERM, otherwise it succeeds. An example of BPF_CGROUP_DEVICE program may be found in the kernel source tree in the tools/testing/selftests/bpf/dev_cgroup.c file.
So yes if you only support cgroup v1 using the "'devices' - use for device whitelisting" is kind of right. But once you start supporting cgroup v2 it is "device access control" since now you can have fully functional allow/deny/filter lists that you create by converting what ever information there into a BPF program.
So you have just found example of where whitelist as a term was right in past and due to Linux kernel changes expanding features is now completely wrong. Device filtering in cgroups v2 is no longer limited to whitelist methods. The BPF method also means something can change from allowed to deny to filter on the fly as well.
So not all the cases of removal of blacklist or whitelist from Linux kernel and supporting programs has anything todo with political correctness sometimes it simply that the feature has expand that those terms don't work at all any more and that is exactly what you just pointed to. Libvirt with qemu talking about cgroup controller around qemu the term whitelist does not fit any more because they are upgrading to support cgroupv2 where things are different.
Comment