diff options
| author | Tejun Heo <tj@kernel.org> | 2014-05-16 13:22:52 -0400 |
|---|---|---|
| committer | Tejun Heo <tj@kernel.org> | 2014-05-16 13:22:52 -0400 |
| commit | 7a3bb24f7c5ceebad19b12b66fd832a27a7e90df (patch) | |
| tree | fc1d5735096c2d0012f9a1e3235279397a7011b5 /security/device_cgroup.c | |
| parent | f3d4650015301d1c880df4523f7e7ef320a38aab (diff) | |
device_cgroup: use css_has_online_children() instead of has_children()
devcgroup_update_access() wants to know whether there are child
cgroups which are online and visible to userland and has_children()
may return false positive. Replace it with css_has_online_children().
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Aristeu Rozanski <aris@redhat.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Li Zefan <lizefan@huawei.com>
Diffstat (limited to 'security/device_cgroup.c')
| -rw-r--r-- | security/device_cgroup.c | 19 |
1 files changed, 2 insertions, 17 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 084c8e417564..d9d69e6930ed 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
| @@ -587,21 +587,6 @@ static int propagate_exception(struct dev_cgroup *devcg_root, | |||
| 587 | return rc; | 587 | return rc; |
| 588 | } | 588 | } |
| 589 | 589 | ||
| 590 | static inline bool has_children(struct dev_cgroup *devcgroup) | ||
| 591 | { | ||
| 592 | bool ret; | ||
| 593 | |||
| 594 | /* | ||
| 595 | * FIXME: There may be lingering offline csses and this function | ||
| 596 | * may return %true when there isn't any userland-visible child | ||
| 597 | * which is incorrect for our purposes. | ||
| 598 | */ | ||
| 599 | rcu_read_lock(); | ||
| 600 | ret = css_next_child(NULL, &devcgroup->css); | ||
| 601 | rcu_read_unlock(); | ||
| 602 | return ret; | ||
| 603 | } | ||
| 604 | |||
| 605 | /* | 590 | /* |
| 606 | * Modify the exception list using allow/deny rules. | 591 | * Modify the exception list using allow/deny rules. |
| 607 | * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD | 592 | * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD |
| @@ -634,7 +619,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 634 | case 'a': | 619 | case 'a': |
| 635 | switch (filetype) { | 620 | switch (filetype) { |
| 636 | case DEVCG_ALLOW: | 621 | case DEVCG_ALLOW: |
| 637 | if (has_children(devcgroup)) | 622 | if (css_has_online_children(&devcgroup->css)) |
| 638 | return -EINVAL; | 623 | return -EINVAL; |
| 639 | 624 | ||
| 640 | if (!may_allow_all(parent)) | 625 | if (!may_allow_all(parent)) |
| @@ -650,7 +635,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 650 | return rc; | 635 | return rc; |
| 651 | break; | 636 | break; |
| 652 | case DEVCG_DENY: | 637 | case DEVCG_DENY: |
| 653 | if (has_children(devcgroup)) | 638 | if (css_has_online_children(&devcgroup->css)) |
| 654 | return -EINVAL; | 639 | return -EINVAL; |
| 655 | 640 | ||
| 656 | dev_exception_clean(devcgroup); | 641 | dev_exception_clean(devcgroup); |