aboutsummaryrefslogtreecommitdiffstats
path: root/security/device_cgroup.c
diff options
context:
space:
mode:
authorAristeu Rozanski <aris@redhat.com>2012-10-04 20:15:13 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-10-05 14:05:13 -0400
commit66b8ef67756b3051bf42a077a82c3c5c279caa5b (patch)
tree60527442334744981f0766dae6f46bf7ae9b4d4f /security/device_cgroup.c
parent12ae6779332181432a7feda740735ffa5bb3d32d (diff)
device_cgroup: add "deny_all" in dev_cgroup structure
deny_all will determine if the default policy is to deny all device access unless for the ones in the exception list. This variable will be used in the next patches to convert device_cgroup internally into a default policy + rules. Signed-off-by: Aristeu Rozanski <aris@redhat.com> Cc: Tejun Heo <tj@kernel.org> Cc: Li Zefan <lizefan@huawei.com> Cc: James Morris <jmorris@namei.org> Cc: Pavel Emelyanov <xemul@openvz.org> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/device_cgroup.c')
-rw-r--r--security/device_cgroup.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 4b877a92a7ea..e3ce02a00ffc 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -42,6 +42,7 @@ struct dev_whitelist_item {
42struct dev_cgroup { 42struct dev_cgroup {
43 struct cgroup_subsys_state css; 43 struct cgroup_subsys_state css;
44 struct list_head whitelist; 44 struct list_head whitelist;
45 bool deny_all;
45}; 46};
46 47
47static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) 48static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
@@ -178,12 +179,14 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup)
178 wh->minor = wh->major = ~0; 179 wh->minor = wh->major = ~0;
179 wh->type = DEV_ALL; 180 wh->type = DEV_ALL;
180 wh->access = ACC_MASK; 181 wh->access = ACC_MASK;
182 dev_cgroup->deny_all = false;
181 list_add(&wh->list, &dev_cgroup->whitelist); 183 list_add(&wh->list, &dev_cgroup->whitelist);
182 } else { 184 } else {
183 parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); 185 parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
184 mutex_lock(&devcgroup_mutex); 186 mutex_lock(&devcgroup_mutex);
185 ret = dev_whitelist_copy(&dev_cgroup->whitelist, 187 ret = dev_whitelist_copy(&dev_cgroup->whitelist,
186 &parent_dev_cgroup->whitelist); 188 &parent_dev_cgroup->whitelist);
189 dev_cgroup->deny_all = parent_dev_cgroup->deny_all;
187 mutex_unlock(&devcgroup_mutex); 190 mutex_unlock(&devcgroup_mutex);
188 if (ret) { 191 if (ret) {
189 kfree(dev_cgroup); 192 kfree(dev_cgroup);
@@ -409,9 +412,11 @@ handle:
409 case DEVCG_ALLOW: 412 case DEVCG_ALLOW:
410 if (!parent_has_perm(devcgroup, &wh)) 413 if (!parent_has_perm(devcgroup, &wh))
411 return -EPERM; 414 return -EPERM;
415 devcgroup->deny_all = false;
412 return dev_whitelist_add(devcgroup, &wh); 416 return dev_whitelist_add(devcgroup, &wh);
413 case DEVCG_DENY: 417 case DEVCG_DENY:
414 dev_whitelist_rm(devcgroup, &wh); 418 dev_whitelist_rm(devcgroup, &wh);
419 devcgroup->deny_all = true;
415 break; 420 break;
416 default: 421 default:
417 return -EINVAL; 422 return -EINVAL;