[systemd-devel] deny access to GPU devices

Lennart Poettering lennart at poettering.net
Mon Nov 14 11:35:17 UTC 2016 

On Sat, 12.11.16 07:43, Topi Miettinen (toiwoton at gmail.com) wrote:

> On 11/11/16 20:09, Lennart Poettering wrote:
> > I have no idea what "slurm" is, but do note that the "devices" cgroup
> > controller has no future, it is unlikely to ever become available in
> > cgroupsv2.
> 
> This is unwelcome news, I think it is a simple and well contained MAC
> that has been available in systems without a full blown MAC like SELinux
> and with systemd support it has been very easy to set up. What will
> happen to DevicePolicy, DeviceAllow etc. directives? Or will systemd
> stick to cgroupsv1 forever?

No, our plan is to switch to cgroupsv2 as default as quickly as we
can. Where "quickly as we can" means mostly: the "cpu" controllers is
ported to cgroupsv2 in vanilla kernels.

The thing with the "devices" cgroup controller is that it is not about
resource control, but about access control, and hence should not live
in "cgroups" at all, but in some other framework.  "cgroups" is all
about dynamic resource control and accounting, but "devices" doesn't
fit that at all, hence it should move elsewhere.

We'll keep DeviceAllow/DevicePolicy around for now, and there's a TODO
list item to implement at least the "m" part of it via seccomp, as a
second level of protection that will still work even if cgroupsv2 is
used. I think in the long run it might make sense to also do the "rw"
part of it somehow in the kernel, via some new kernel subsystem, but
we'll have to see if and how this will be implemented.

I think primarily we are just spectators of all of this. The kernel
folks need to figure out how they want this to look like in the long
run. Consider inquiring Tejun about all of this. If they kernel folks
agree on something we can adopt it quickly in systemd.

> > Device access to local users is normally managed through ACLs on the
> > device node, via udev/logind's "uaccess" logic. Using the "devices"
> > cgroup controller for this appears pretty misguided...
> 
> ACLs only limit access via the path that they are controlling, device
> cgroup controlled the whole system. And if you have a MAC system that
> can do that, it could perform the same task as ACLs but in a much better
> way.
> 
> With cgroup you could also deny access to nodes that need to be
> available for interactive users (like TTYs, audio, input devices, GPUs,
> USB devices), but which are not useful for system services. Perhaps some
> sort of ACL could be constructed with the same effect.

Hmm? udev has been doing precisely this for ages now.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list