aboutsummaryrefslogtreecommitdiffstats
path: root/security/device_cgroup.c
diff options
context:
space:
mode:
authorAristeu Rozanski <aris@redhat.com>2012-10-04 20:15:20 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-10-05 14:05:14 -0400
commitdb9aeca97a58563e1ab927d157c9b5048f233e73 (patch)
tree6569621429efe0e6cc0529b78c50939913f0bd35 /security/device_cgroup.c
parentad676077a2ae4af4bb6627486ce19ccce04f1efe (diff)
device_cgroup: rename whitelist to exception list
This patch replaces the "whitelist" usage in the code and comments and replace them by exception list related information. Signed-off-by: Aristeu Rozanski <aris@redhat.com> Cc: Tejun Heo <tj@kernel.org> Cc: Li Zefan <lizefan@huawei.com> Cc: James Morris <jmorris@namei.org> Cc: Pavel Emelyanov <xemul@openvz.org> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/device_cgroup.c')
-rw-r--r--security/device_cgroup.c198
1 files changed, 99 insertions, 99 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 91cf803c3431..44dfc415a379 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -26,12 +26,12 @@
26static DEFINE_MUTEX(devcgroup_mutex); 26static DEFINE_MUTEX(devcgroup_mutex);
27 27
28/* 28/*
29 * whitelist locking rules: 29 * exception list locking rules:
30 * hold devcgroup_mutex for update/read. 30 * hold devcgroup_mutex for update/read.
31 * hold rcu_read_lock() for read. 31 * hold rcu_read_lock() for read.
32 */ 32 */
33 33
34struct dev_whitelist_item { 34struct dev_exception_item {
35 u32 major, minor; 35 u32 major, minor;
36 short type; 36 short type;
37 short access; 37 short access;
@@ -41,7 +41,7 @@ struct dev_whitelist_item {
41 41
42struct dev_cgroup { 42struct dev_cgroup {
43 struct cgroup_subsys_state css; 43 struct cgroup_subsys_state css;
44 struct list_head whitelist; 44 struct list_head exceptions;
45 bool deny_all; 45 bool deny_all;
46}; 46};
47 47
@@ -75,12 +75,12 @@ static int devcgroup_can_attach(struct cgroup *new_cgrp,
75/* 75/*
76 * called under devcgroup_mutex 76 * called under devcgroup_mutex
77 */ 77 */
78static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig) 78static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig)
79{ 79{
80 struct dev_whitelist_item *wh, *tmp, *new; 80 struct dev_exception_item *ex, *tmp, *new;
81 81
82 list_for_each_entry(wh, orig, list) { 82 list_for_each_entry(ex, orig, list) {
83 new = kmemdup(wh, sizeof(*wh), GFP_KERNEL); 83 new = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
84 if (!new) 84 if (!new)
85 goto free_and_exit; 85 goto free_and_exit;
86 list_add_tail(&new->list, dest); 86 list_add_tail(&new->list, dest);
@@ -89,9 +89,9 @@ static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig)
89 return 0; 89 return 0;
90 90
91free_and_exit: 91free_and_exit:
92 list_for_each_entry_safe(wh, tmp, dest, list) { 92 list_for_each_entry_safe(ex, tmp, dest, list) {
93 list_del(&wh->list); 93 list_del(&ex->list);
94 kfree(wh); 94 kfree(ex);
95 } 95 }
96 return -ENOMEM; 96 return -ENOMEM;
97} 97}
@@ -99,50 +99,50 @@ free_and_exit:
99/* 99/*
100 * called under devcgroup_mutex 100 * called under devcgroup_mutex
101 */ 101 */
102static int dev_whitelist_add(struct dev_cgroup *dev_cgroup, 102static int dev_exception_add(struct dev_cgroup *dev_cgroup,
103 struct dev_whitelist_item *wh) 103 struct dev_exception_item *ex)
104{ 104{
105 struct dev_whitelist_item *whcopy, *walk; 105 struct dev_exception_item *excopy, *walk;
106 106
107 whcopy = kmemdup(wh, sizeof(*wh), GFP_KERNEL); 107 excopy = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
108 if (!whcopy) 108 if (!excopy)
109 return -ENOMEM; 109 return -ENOMEM;
110 110
111 list_for_each_entry(walk, &dev_cgroup->whitelist, list) { 111 list_for_each_entry(walk, &dev_cgroup->exceptions, list) {
112 if (walk->type != wh->type) 112 if (walk->type != ex->type)
113 continue; 113 continue;
114 if (walk->major != wh->major) 114 if (walk->major != ex->major)
115 continue; 115 continue;
116 if (walk->minor != wh->minor) 116 if (walk->minor != ex->minor)
117 continue; 117 continue;
118 118
119 walk->access |= wh->access; 119 walk->access |= ex->access;
120 kfree(whcopy); 120 kfree(excopy);
121 whcopy = NULL; 121 excopy = NULL;
122 } 122 }
123 123
124 if (whcopy != NULL) 124 if (excopy != NULL)
125 list_add_tail_rcu(&whcopy->list, &dev_cgroup->whitelist); 125 list_add_tail_rcu(&excopy->list, &dev_cgroup->exceptions);
126 return 0; 126 return 0;
127} 127}
128 128
129/* 129/*
130 * called under devcgroup_mutex 130 * called under devcgroup_mutex
131 */ 131 */
132static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup, 132static void dev_exception_rm(struct dev_cgroup *dev_cgroup,
133 struct dev_whitelist_item *wh) 133 struct dev_exception_item *ex)
134{ 134{
135 struct dev_whitelist_item *walk, *tmp; 135 struct dev_exception_item *walk, *tmp;
136 136
137 list_for_each_entry_safe(walk, tmp, &dev_cgroup->whitelist, list) { 137 list_for_each_entry_safe(walk, tmp, &dev_cgroup->exceptions, list) {
138 if (walk->type != wh->type) 138 if (walk->type != ex->type)
139 continue; 139 continue;
140 if (walk->major != wh->major) 140 if (walk->major != ex->major)
141 continue; 141 continue;
142 if (walk->minor != wh->minor) 142 if (walk->minor != ex->minor)
143 continue; 143 continue;
144 144
145 walk->access &= ~wh->access; 145 walk->access &= ~ex->access;
146 if (!walk->access) { 146 if (!walk->access) {
147 list_del_rcu(&walk->list); 147 list_del_rcu(&walk->list);
148 kfree_rcu(walk, rcu); 148 kfree_rcu(walk, rcu);
@@ -151,18 +151,18 @@ static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup,
151} 151}
152 152
153/** 153/**
154 * dev_whitelist_clean - frees all entries of the whitelist 154 * dev_exception_clean - frees all entries of the exception list
155 * @dev_cgroup: dev_cgroup with the whitelist to be cleaned 155 * @dev_cgroup: dev_cgroup with the exception list to be cleaned
156 * 156 *
157 * called under devcgroup_mutex 157 * called under devcgroup_mutex
158 */ 158 */
159static void dev_whitelist_clean(struct dev_cgroup *dev_cgroup) 159static void dev_exception_clean(struct dev_cgroup *dev_cgroup)
160{ 160{
161 struct dev_whitelist_item *wh, *tmp; 161 struct dev_exception_item *ex, *tmp;
162 162
163 list_for_each_entry_safe(wh, tmp, &dev_cgroup->whitelist, list) { 163 list_for_each_entry_safe(ex, tmp, &dev_cgroup->exceptions, list) {
164 list_del(&wh->list); 164 list_del(&ex->list);
165 kfree(wh); 165 kfree(ex);
166 } 166 }
167} 167}
168 168
@@ -178,7 +178,7 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup)
178 dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL); 178 dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL);
179 if (!dev_cgroup) 179 if (!dev_cgroup)
180 return ERR_PTR(-ENOMEM); 180 return ERR_PTR(-ENOMEM);
181 INIT_LIST_HEAD(&dev_cgroup->whitelist); 181 INIT_LIST_HEAD(&dev_cgroup->exceptions);
182 parent_cgroup = cgroup->parent; 182 parent_cgroup = cgroup->parent;
183 183
184 if (parent_cgroup == NULL) 184 if (parent_cgroup == NULL)
@@ -186,8 +186,8 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup)
186 else { 186 else {
187 parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); 187 parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
188 mutex_lock(&devcgroup_mutex); 188 mutex_lock(&devcgroup_mutex);
189 ret = dev_whitelist_copy(&dev_cgroup->whitelist, 189 ret = dev_exceptions_copy(&dev_cgroup->exceptions,
190 &parent_dev_cgroup->whitelist); 190 &parent_dev_cgroup->exceptions);
191 dev_cgroup->deny_all = parent_dev_cgroup->deny_all; 191 dev_cgroup->deny_all = parent_dev_cgroup->deny_all;
192 mutex_unlock(&devcgroup_mutex); 192 mutex_unlock(&devcgroup_mutex);
193 if (ret) { 193 if (ret) {
@@ -204,7 +204,7 @@ static void devcgroup_destroy(struct cgroup *cgroup)
204 struct dev_cgroup *dev_cgroup; 204 struct dev_cgroup *dev_cgroup;
205 205
206 dev_cgroup = cgroup_to_devcgroup(cgroup); 206 dev_cgroup = cgroup_to_devcgroup(cgroup);
207 dev_whitelist_clean(dev_cgroup); 207 dev_exception_clean(dev_cgroup);
208 kfree(dev_cgroup); 208 kfree(dev_cgroup);
209} 209}
210 210
@@ -250,7 +250,7 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
250 struct seq_file *m) 250 struct seq_file *m)
251{ 251{
252 struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup); 252 struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
253 struct dev_whitelist_item *wh; 253 struct dev_exception_item *ex;
254 char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN]; 254 char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
255 255
256 rcu_read_lock(); 256 rcu_read_lock();
@@ -267,11 +267,11 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
267 seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL), 267 seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
268 maj, min, acc); 268 maj, min, acc);
269 } else { 269 } else {
270 list_for_each_entry_rcu(wh, &devcgroup->whitelist, list) { 270 list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
271 set_access(acc, wh->access); 271 set_access(acc, ex->access);
272 set_majmin(maj, wh->major); 272 set_majmin(maj, ex->major);
273 set_majmin(min, wh->minor); 273 set_majmin(min, ex->minor);
274 seq_printf(m, "%c %s:%s %s\n", type_to_char(wh->type), 274 seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
275 maj, min, acc); 275 maj, min, acc);
276 } 276 }
277 } 277 }
@@ -281,42 +281,42 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
281} 281}
282 282
283/** 283/**
284 * may_access_whitelist - verifies if a new rule is part of what is allowed 284 * may_access - verifies if a new exception is part of what is allowed
285 * by a dev cgroup based on the default policy + 285 * by a dev cgroup based on the default policy +
286 * exceptions. This is used to make sure a child cgroup 286 * exceptions. This is used to make sure a child cgroup
287 * won't have more privileges than its parent or to 287 * won't have more privileges than its parent or to
288 * verify if a certain access is allowed. 288 * verify if a certain access is allowed.
289 * @dev_cgroup: dev cgroup to be tested against 289 * @dev_cgroup: dev cgroup to be tested against
290 * @refwh: new rule 290 * @refex: new exception
291 */ 291 */
292static int may_access_whitelist(struct dev_cgroup *dev_cgroup, 292static int may_access(struct dev_cgroup *dev_cgroup,
293 struct dev_whitelist_item *refwh) 293 struct dev_exception_item *refex)
294{ 294{
295 struct dev_whitelist_item *whitem; 295 struct dev_exception_item *ex;
296 bool match = false; 296 bool match = false;
297 297
298 list_for_each_entry(whitem, &dev_cgroup->whitelist, list) { 298 list_for_each_entry(ex, &dev_cgroup->exceptions, list) {
299 if ((refwh->type & DEV_BLOCK) && !(whitem->type & DEV_BLOCK)) 299 if ((refex->type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
300 continue; 300 continue;
301 if ((refwh->type & DEV_CHAR) && !(whitem->type & DEV_CHAR)) 301 if ((refex->type & DEV_CHAR) && !(ex->type & DEV_CHAR))
302 continue; 302 continue;
303 if (whitem->major != ~0 && whitem->major != refwh->major) 303 if (ex->major != ~0 && ex->major != refex->major)
304 continue; 304 continue;
305 if (whitem->minor != ~0 && whitem->minor != refwh->minor) 305 if (ex->minor != ~0 && ex->minor != refex->minor)
306 continue; 306 continue;
307 if (refwh->access & (~whitem->access)) 307 if (refex->access & (~ex->access))
308 continue; 308 continue;
309 match = true; 309 match = true;
310 break; 310 break;
311 } 311 }
312 312
313 /* 313 /*
314 * In two cases we'll consider this new rule valid: 314 * In two cases we'll consider this new exception valid:
315 * - the dev cgroup has its default policy to allow + exception list: 315 * - the dev cgroup has its default policy to allow + exception list:
316 * the new rule should *not* match any of the exceptions 316 * the new exception should *not* match any of the exceptions
317 * (!deny_all, !match) 317 * (!deny_all, !match)
318 * - the dev cgroup has its default policy to deny + exception list: 318 * - the dev cgroup has its default policy to deny + exception list:
319 * the new rule *should* match the exceptions 319 * the new exception *should* match the exceptions
320 * (deny_all, match) 320 * (deny_all, match)
321 */ 321 */
322 if (dev_cgroup->deny_all == match) 322 if (dev_cgroup->deny_all == match)
@@ -326,11 +326,11 @@ static int may_access_whitelist(struct dev_cgroup *dev_cgroup,
326 326
327/* 327/*
328 * parent_has_perm: 328 * parent_has_perm:
329 * when adding a new allow rule to a device whitelist, the rule 329 * when adding a new allow rule to a device exception list, the rule
330 * must be allowed in the parent device 330 * must be allowed in the parent device
331 */ 331 */
332static int parent_has_perm(struct dev_cgroup *childcg, 332static int parent_has_perm(struct dev_cgroup *childcg,
333 struct dev_whitelist_item *wh) 333 struct dev_exception_item *ex)
334{ 334{
335 struct cgroup *pcg = childcg->css.cgroup->parent; 335 struct cgroup *pcg = childcg->css.cgroup->parent;
336 struct dev_cgroup *parent; 336 struct dev_cgroup *parent;
@@ -338,17 +338,17 @@ static int parent_has_perm(struct dev_cgroup *childcg,
338 if (!pcg) 338 if (!pcg)
339 return 1; 339 return 1;
340 parent = cgroup_to_devcgroup(pcg); 340 parent = cgroup_to_devcgroup(pcg);
341 return may_access_whitelist(parent, wh); 341 return may_access(parent, ex);
342} 342}
343 343
344/* 344/*
345 * Modify the whitelist using allow/deny rules. 345 * Modify the exception list using allow/deny rules.
346 * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD 346 * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD
347 * so we can give a container CAP_MKNOD to let it create devices but not 347 * so we can give a container CAP_MKNOD to let it create devices but not
348 * modify the whitelist. 348 * modify the exception list.
349 * It seems likely we'll want to add a CAP_CONTAINER capability to allow 349 * It seems likely we'll want to add a CAP_CONTAINER capability to allow
350 * us to also grant CAP_SYS_ADMIN to containers without giving away the 350 * us to also grant CAP_SYS_ADMIN to containers without giving away the
351 * device whitelist controls, but for now we'll stick with CAP_SYS_ADMIN 351 * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN
352 * 352 *
353 * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting 353 * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting
354 * new access is only allowed if you're in the top-level cgroup, or your 354 * new access is only allowed if you're in the top-level cgroup, or your
@@ -360,25 +360,25 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
360 const char *b; 360 const char *b;
361 char *endp; 361 char *endp;
362 int count; 362 int count;
363 struct dev_whitelist_item wh; 363 struct dev_exception_item ex;
364 364
365 if (!capable(CAP_SYS_ADMIN)) 365 if (!capable(CAP_SYS_ADMIN))
366 return -EPERM; 366 return -EPERM;
367 367
368 memset(&wh, 0, sizeof(wh)); 368 memset(&ex, 0, sizeof(ex));
369 b = buffer; 369 b = buffer;
370 370
371 switch (*b) { 371 switch (*b) {
372 case 'a': 372 case 'a':
373 switch (filetype) { 373 switch (filetype) {
374 case DEVCG_ALLOW: 374 case DEVCG_ALLOW:
375 if (!parent_has_perm(devcgroup, &wh)) 375 if (!parent_has_perm(devcgroup, &ex))
376 return -EPERM; 376 return -EPERM;
377 dev_whitelist_clean(devcgroup); 377 dev_exception_clean(devcgroup);
378 devcgroup->deny_all = false; 378 devcgroup->deny_all = false;
379 break; 379 break;
380 case DEVCG_DENY: 380 case DEVCG_DENY:
381 dev_whitelist_clean(devcgroup); 381 dev_exception_clean(devcgroup);
382 devcgroup->deny_all = true; 382 devcgroup->deny_all = true;
383 break; 383 break;
384 default: 384 default:
@@ -386,10 +386,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
386 } 386 }
387 return 0; 387 return 0;
388 case 'b': 388 case 'b':
389 wh.type = DEV_BLOCK; 389 ex.type = DEV_BLOCK;
390 break; 390 break;
391 case 'c': 391 case 'c':
392 wh.type = DEV_CHAR; 392 ex.type = DEV_CHAR;
393 break; 393 break;
394 default: 394 default:
395 return -EINVAL; 395 return -EINVAL;
@@ -399,10 +399,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
399 return -EINVAL; 399 return -EINVAL;
400 b++; 400 b++;
401 if (*b == '*') { 401 if (*b == '*') {
402 wh.major = ~0; 402 ex.major = ~0;
403 b++; 403 b++;
404 } else if (isdigit(*b)) { 404 } else if (isdigit(*b)) {
405 wh.major = simple_strtoul(b, &endp, 10); 405 ex.major = simple_strtoul(b, &endp, 10);
406 b = endp; 406 b = endp;
407 } else { 407 } else {
408 return -EINVAL; 408 return -EINVAL;
@@ -413,10 +413,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
413 413
414 /* read minor */ 414 /* read minor */
415 if (*b == '*') { 415 if (*b == '*') {
416 wh.minor = ~0; 416 ex.minor = ~0;
417 b++; 417 b++;
418 } else if (isdigit(*b)) { 418 } else if (isdigit(*b)) {
419 wh.minor = simple_strtoul(b, &endp, 10); 419 ex.minor = simple_strtoul(b, &endp, 10);
420 b = endp; 420 b = endp;
421 } else { 421 } else {
422 return -EINVAL; 422 return -EINVAL;
@@ -426,13 +426,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
426 for (b++, count = 0; count < 3; count++, b++) { 426 for (b++, count = 0; count < 3; count++, b++) {
427 switch (*b) { 427 switch (*b) {
428 case 'r': 428 case 'r':
429 wh.access |= ACC_READ; 429 ex.access |= ACC_READ;
430 break; 430 break;
431 case 'w': 431 case 'w':
432 wh.access |= ACC_WRITE; 432 ex.access |= ACC_WRITE;
433 break; 433 break;
434 case 'm': 434 case 'm':
435 wh.access |= ACC_MKNOD; 435 ex.access |= ACC_MKNOD;
436 break; 436 break;
437 case '\n': 437 case '\n':
438 case '\0': 438 case '\0':
@@ -445,7 +445,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
445 445
446 switch (filetype) { 446 switch (filetype) {
447 case DEVCG_ALLOW: 447 case DEVCG_ALLOW:
448 if (!parent_has_perm(devcgroup, &wh)) 448 if (!parent_has_perm(devcgroup, &ex))
449 return -EPERM; 449 return -EPERM;
450 /* 450 /*
451 * If the default policy is to allow by default, try to remove 451 * If the default policy is to allow by default, try to remove
@@ -453,10 +453,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
453 * don't want to break compatibility 453 * don't want to break compatibility
454 */ 454 */
455 if (devcgroup->deny_all == false) { 455 if (devcgroup->deny_all == false) {
456 dev_whitelist_rm(devcgroup, &wh); 456 dev_exception_rm(devcgroup, &ex);
457 return 0; 457 return 0;
458 } 458 }
459 return dev_whitelist_add(devcgroup, &wh); 459 return dev_exception_add(devcgroup, &ex);
460 case DEVCG_DENY: 460 case DEVCG_DENY:
461 /* 461 /*
462 * If the default policy is to deny by default, try to remove 462 * If the default policy is to deny by default, try to remove
@@ -464,10 +464,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
464 * don't want to break compatibility 464 * don't want to break compatibility
465 */ 465 */
466 if (devcgroup->deny_all == true) { 466 if (devcgroup->deny_all == true) {
467 dev_whitelist_rm(devcgroup, &wh); 467 dev_exception_rm(devcgroup, &ex);
468 return 0; 468 return 0;
469 } 469 }
470 return dev_whitelist_add(devcgroup, &wh); 470 return dev_exception_add(devcgroup, &ex);
471 default: 471 default:
472 return -EINVAL; 472 return -EINVAL;
473 } 473 }
@@ -537,17 +537,17 @@ static int __devcgroup_check_permission(struct dev_cgroup *dev_cgroup,
537 short type, u32 major, u32 minor, 537 short type, u32 major, u32 minor,
538 short access) 538 short access)
539{ 539{
540 struct dev_whitelist_item wh; 540 struct dev_exception_item ex;
541 int rc; 541 int rc;
542 542
543 memset(&wh, 0, sizeof(wh)); 543 memset(&ex, 0, sizeof(ex));
544 wh.type = type; 544 ex.type = type;
545 wh.major = major; 545 ex.major = major;
546 wh.minor = minor; 546 ex.minor = minor;
547 wh.access = access; 547 ex.access = access;
548 548
549 rcu_read_lock(); 549 rcu_read_lock();
550 rc = may_access_whitelist(dev_cgroup, &wh); 550 rc = may_access(dev_cgroup, &ex);
551 rcu_read_unlock(); 551 rcu_read_unlock();
552 552
553 if (!rc) 553 if (!rc)