diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-09 18:03:33 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-09 18:03:33 -0400 |
| commit | 14208b0ec56919f5333dd654b1a7d10765d0ad05 (patch) | |
| tree | 474b46c351efced45925d15dc2e0049c49784716 /security | |
| parent | 6ea4fa70e4af0da8b133b246458fb789d8cb3985 (diff) | |
| parent | c731ae1d0f02a300697a8b1564780ad28a6c2013 (diff) | |
Merge branch 'for-3.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
Pull cgroup updates from Tejun Heo:
"A lot of activities on cgroup side. Heavy restructuring including
locking simplification took place to improve the code base and enable
implementation of the unified hierarchy, which currently exists behind
a __DEVEL__ mount option. The core support is mostly complete but
individual controllers need further work. To explain the design and
rationales of the the unified hierarchy
Documentation/cgroups/unified-hierarchy.txt
is added.
Another notable change is css (cgroup_subsys_state - what each
controller uses to identify and interact with a cgroup) iteration
update. This is part of continuing updates on css object lifetime and
visibility. cgroup started with reference count draining on removal
way back and is now reaching a point where csses behave and are
iterated like normal refcnted objects albeit with some complexities to
allow distinguishing the state where they're being deleted. The css
iteration update isn't taken advantage of yet but is planned to be
used to simplify memcg significantly"
* 'for-3.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: (77 commits)
cgroup: disallow disabled controllers on the default hierarchy
cgroup: don't destroy the default root
cgroup: disallow debug controller on the default hierarchy
cgroup: clean up MAINTAINERS entries
cgroup: implement css_tryget()
device_cgroup: use css_has_online_children() instead of has_children()
cgroup: convert cgroup_has_live_children() into css_has_online_children()
cgroup: use CSS_ONLINE instead of CGRP_DEAD
cgroup: iterate cgroup_subsys_states directly
cgroup: introduce CSS_RELEASED and reduce css iteration fallback window
cgroup: move cgroup->serial_nr into cgroup_subsys_state
cgroup: link all cgroup_subsys_states in their sibling lists
cgroup: move cgroup->sibling and ->children into cgroup_subsys_state
cgroup: remove cgroup->parent
device_cgroup: remove direct access to cgroup->children
memcg: update memcg_has_children() to use css_next_child()
memcg: remove tasks/children test from mem_cgroup_force_empty()
cgroup: remove css_parent()
cgroup: skip refcnting on normal root csses and cgrp_dfl_root self css
cgroup: use cgroup->self.refcnt for cgroup refcnting
...
Diffstat (limited to 'security')
| -rw-r--r-- | security/device_cgroup.c | 33 |
1 files changed, 13 insertions, 20 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 9134dbf70d3e..d9d69e6930ed 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
| @@ -182,7 +182,7 @@ static inline bool is_devcg_online(const struct dev_cgroup *devcg) | |||
| 182 | static int devcgroup_online(struct cgroup_subsys_state *css) | 182 | static int devcgroup_online(struct cgroup_subsys_state *css) |
| 183 | { | 183 | { |
| 184 | struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); | 184 | struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); |
| 185 | struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css_parent(css)); | 185 | struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css->parent); |
| 186 | int ret = 0; | 186 | int ret = 0; |
| 187 | 187 | ||
| 188 | mutex_lock(&devcgroup_mutex); | 188 | mutex_lock(&devcgroup_mutex); |
| @@ -455,7 +455,7 @@ static bool verify_new_ex(struct dev_cgroup *dev_cgroup, | |||
| 455 | static int parent_has_perm(struct dev_cgroup *childcg, | 455 | static int parent_has_perm(struct dev_cgroup *childcg, |
| 456 | struct dev_exception_item *ex) | 456 | struct dev_exception_item *ex) |
| 457 | { | 457 | { |
| 458 | struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css)); | 458 | struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent); |
| 459 | 459 | ||
| 460 | if (!parent) | 460 | if (!parent) |
| 461 | return 1; | 461 | return 1; |
| @@ -476,7 +476,7 @@ static int parent_has_perm(struct dev_cgroup *childcg, | |||
| 476 | static bool parent_allows_removal(struct dev_cgroup *childcg, | 476 | static bool parent_allows_removal(struct dev_cgroup *childcg, |
| 477 | struct dev_exception_item *ex) | 477 | struct dev_exception_item *ex) |
| 478 | { | 478 | { |
| 479 | struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css)); | 479 | struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent); |
| 480 | 480 | ||
| 481 | if (!parent) | 481 | if (!parent) |
| 482 | return true; | 482 | return true; |
| @@ -587,13 +587,6 @@ static int propagate_exception(struct dev_cgroup *devcg_root, | |||
| 587 | return rc; | 587 | return rc; |
| 588 | } | 588 | } |
| 589 | 589 | ||
| 590 | static inline bool has_children(struct dev_cgroup *devcgroup) | ||
| 591 | { | ||
| 592 | struct cgroup *cgrp = devcgroup->css.cgroup; | ||
| 593 | |||
| 594 | return !list_empty(&cgrp->children); | ||
| 595 | } | ||
| 596 | |||
| 597 | /* | 590 | /* |
| 598 | * Modify the exception list using allow/deny rules. | 591 | * Modify the exception list using allow/deny rules. |
| 599 | * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD | 592 | * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD |
| @@ -614,7 +607,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 614 | char temp[12]; /* 11 + 1 characters needed for a u32 */ | 607 | char temp[12]; /* 11 + 1 characters needed for a u32 */ |
| 615 | int count, rc = 0; | 608 | int count, rc = 0; |
| 616 | struct dev_exception_item ex; | 609 | struct dev_exception_item ex; |
| 617 | struct dev_cgroup *parent = css_to_devcgroup(css_parent(&devcgroup->css)); | 610 | struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); |
| 618 | 611 | ||
| 619 | if (!capable(CAP_SYS_ADMIN)) | 612 | if (!capable(CAP_SYS_ADMIN)) |
| 620 | return -EPERM; | 613 | return -EPERM; |
| @@ -626,7 +619,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 626 | case 'a': | 619 | case 'a': |
| 627 | switch (filetype) { | 620 | switch (filetype) { |
| 628 | case DEVCG_ALLOW: | 621 | case DEVCG_ALLOW: |
| 629 | if (has_children(devcgroup)) | 622 | if (css_has_online_children(&devcgroup->css)) |
| 630 | return -EINVAL; | 623 | return -EINVAL; |
| 631 | 624 | ||
| 632 | if (!may_allow_all(parent)) | 625 | if (!may_allow_all(parent)) |
| @@ -642,7 +635,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 642 | return rc; | 635 | return rc; |
| 643 | break; | 636 | break; |
| 644 | case DEVCG_DENY: | 637 | case DEVCG_DENY: |
| 645 | if (has_children(devcgroup)) | 638 | if (css_has_online_children(&devcgroup->css)) |
| 646 | return -EINVAL; | 639 | return -EINVAL; |
| 647 | 640 | ||
| 648 | dev_exception_clean(devcgroup); | 641 | dev_exception_clean(devcgroup); |
| @@ -767,27 +760,27 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 767 | return rc; | 760 | return rc; |
| 768 | } | 761 | } |
| 769 | 762 | ||
| 770 | static int devcgroup_access_write(struct cgroup_subsys_state *css, | 763 | static ssize_t devcgroup_access_write(struct kernfs_open_file *of, |
| 771 | struct cftype *cft, char *buffer) | 764 | char *buf, size_t nbytes, loff_t off) |
| 772 | { | 765 | { |
| 773 | int retval; | 766 | int retval; |
| 774 | 767 | ||
| 775 | mutex_lock(&devcgroup_mutex); | 768 | mutex_lock(&devcgroup_mutex); |
| 776 | retval = devcgroup_update_access(css_to_devcgroup(css), | 769 | retval = devcgroup_update_access(css_to_devcgroup(of_css(of)), |
| 777 | cft->private, buffer); | 770 | of_cft(of)->private, strstrip(buf)); |
| 778 | mutex_unlock(&devcgroup_mutex); | 771 | mutex_unlock(&devcgroup_mutex); |
| 779 | return retval; | 772 | return retval ?: nbytes; |
| 780 | } | 773 | } |
| 781 | 774 | ||
| 782 | static struct cftype dev_cgroup_files[] = { | 775 | static struct cftype dev_cgroup_files[] = { |
| 783 | { | 776 | { |
| 784 | .name = "allow", | 777 | .name = "allow", |
| 785 | .write_string = devcgroup_access_write, | 778 | .write = devcgroup_access_write, |
| 786 | .private = DEVCG_ALLOW, | 779 | .private = DEVCG_ALLOW, |
| 787 | }, | 780 | }, |
| 788 | { | 781 | { |
| 789 | .name = "deny", | 782 | .name = "deny", |
| 790 | .write_string = devcgroup_access_write, | 783 | .write = devcgroup_access_write, |
| 791 | .private = DEVCG_DENY, | 784 | .private = DEVCG_DENY, |
| 792 | }, | 785 | }, |
| 793 | { | 786 | { |