diff options
| author | Roman Gushchin <guro@fb.com> | 2017-11-05 08:15:31 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-11-05 09:26:51 -0500 |
| commit | ecf8fecb7828648cba0e42de7464a7e600c93459 (patch) | |
| tree | f807782b4060641e926e7d600369d7dd0f058e2a /security/device_cgroup.c | |
| parent | 67e306fdbed71ab0a6e0d5985e088a49061c523f (diff) | |
device_cgroup: prepare code for bpf-based device controller
This is non-functional change to prepare the device cgroup code
for adding eBPF-based controller for cgroups v2.
The patch performs the following changes:
1) __devcgroup_inode_permission() and devcgroup_inode_mknod()
are moving to the device-cgroup.h and converting into static inline.
2) __devcgroup_check_permission() is exported.
3) devcgroup_check_permission() wrapper is introduced to be used
by both existing and new bpf-based implementations.
Signed-off-by: Roman Gushchin <guro@fb.com>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/device_cgroup.c')
| -rw-r--r-- | security/device_cgroup.c | 47 |
1 files changed, 2 insertions, 45 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 968c21557ba7..c65b39bafdfe 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
| @@ -15,15 +15,6 @@ | |||
| 15 | #include <linux/rcupdate.h> | 15 | #include <linux/rcupdate.h> |
| 16 | #include <linux/mutex.h> | 16 | #include <linux/mutex.h> |
| 17 | 17 | ||
| 18 | #define DEVCG_ACC_MKNOD 1 | ||
| 19 | #define DEVCG_ACC_READ 2 | ||
| 20 | #define DEVCG_ACC_WRITE 4 | ||
| 21 | #define DEVCG_ACC_MASK (DEVCG_ACC_MKNOD | DEVCG_ACC_READ | DEVCG_ACC_WRITE) | ||
| 22 | |||
| 23 | #define DEVCG_DEV_BLOCK 1 | ||
| 24 | #define DEVCG_DEV_CHAR 2 | ||
| 25 | #define DEVCG_DEV_ALL 4 /* this represents all devices */ | ||
| 26 | |||
| 27 | static DEFINE_MUTEX(devcgroup_mutex); | 18 | static DEFINE_MUTEX(devcgroup_mutex); |
| 28 | 19 | ||
| 29 | enum devcg_behavior { | 20 | enum devcg_behavior { |
| @@ -810,8 +801,8 @@ struct cgroup_subsys devices_cgrp_subsys = { | |||
| 810 | * | 801 | * |
| 811 | * returns 0 on success, -EPERM case the operation is not permitted | 802 | * returns 0 on success, -EPERM case the operation is not permitted |
| 812 | */ | 803 | */ |
| 813 | static int __devcgroup_check_permission(short type, u32 major, u32 minor, | 804 | int __devcgroup_check_permission(short type, u32 major, u32 minor, |
| 814 | short access) | 805 | short access) |
| 815 | { | 806 | { |
| 816 | struct dev_cgroup *dev_cgroup; | 807 | struct dev_cgroup *dev_cgroup; |
| 817 | bool rc; | 808 | bool rc; |
| @@ -833,37 +824,3 @@ static int __devcgroup_check_permission(short type, u32 major, u32 minor, | |||
| 833 | 824 | ||
| 834 | return 0; | 825 | return 0; |
| 835 | } | 826 | } |
| 836 | |||
| 837 | int __devcgroup_inode_permission(struct inode *inode, int mask) | ||
| 838 | { | ||
| 839 | short type, access = 0; | ||
| 840 | |||
| 841 | if (S_ISBLK(inode->i_mode)) | ||
| 842 | type = DEVCG_DEV_BLOCK; | ||
| 843 | if (S_ISCHR(inode->i_mode)) | ||
| 844 | type = DEVCG_DEV_CHAR; | ||
| 845 | if (mask & MAY_WRITE) | ||
| 846 | access |= DEVCG_ACC_WRITE; | ||
| 847 | if (mask & MAY_READ) | ||
| 848 | access |= DEVCG_ACC_READ; | ||
| 849 | |||
| 850 | return __devcgroup_check_permission(type, imajor(inode), iminor(inode), | ||
| 851 | access); | ||
| 852 | } | ||
| 853 | |||
| 854 | int devcgroup_inode_mknod(int mode, dev_t dev) | ||
| 855 | { | ||
| 856 | short type; | ||
| 857 | |||
| 858 | if (!S_ISBLK(mode) && !S_ISCHR(mode)) | ||
| 859 | return 0; | ||
| 860 | |||
| 861 | if (S_ISBLK(mode)) | ||
| 862 | type = DEVCG_DEV_BLOCK; | ||
| 863 | else | ||
| 864 | type = DEVCG_DEV_CHAR; | ||
| 865 | |||
| 866 | return __devcgroup_check_permission(type, MAJOR(dev), MINOR(dev), | ||
| 867 | DEVCG_ACC_MKNOD); | ||
| 868 | |||
| 869 | } | ||