diff options
-rw-r--r-- | security/device_cgroup.c | 198 |
1 files changed, 99 insertions, 99 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 91cf803c3431..44dfc415a379 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
@@ -26,12 +26,12 @@ | |||
26 | static DEFINE_MUTEX(devcgroup_mutex); | 26 | static DEFINE_MUTEX(devcgroup_mutex); |
27 | 27 | ||
28 | /* | 28 | /* |
29 | * whitelist locking rules: | 29 | * exception list locking rules: |
30 | * hold devcgroup_mutex for update/read. | 30 | * hold devcgroup_mutex for update/read. |
31 | * hold rcu_read_lock() for read. | 31 | * hold rcu_read_lock() for read. |
32 | */ | 32 | */ |
33 | 33 | ||
34 | struct dev_whitelist_item { | 34 | struct dev_exception_item { |
35 | u32 major, minor; | 35 | u32 major, minor; |
36 | short type; | 36 | short type; |
37 | short access; | 37 | short access; |
@@ -41,7 +41,7 @@ struct dev_whitelist_item { | |||
41 | 41 | ||
42 | struct dev_cgroup { | 42 | struct dev_cgroup { |
43 | struct cgroup_subsys_state css; | 43 | struct cgroup_subsys_state css; |
44 | struct list_head whitelist; | 44 | struct list_head exceptions; |
45 | bool deny_all; | 45 | bool deny_all; |
46 | }; | 46 | }; |
47 | 47 | ||
@@ -75,12 +75,12 @@ static int devcgroup_can_attach(struct cgroup *new_cgrp, | |||
75 | /* | 75 | /* |
76 | * called under devcgroup_mutex | 76 | * called under devcgroup_mutex |
77 | */ | 77 | */ |
78 | static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig) | 78 | static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig) |
79 | { | 79 | { |
80 | struct dev_whitelist_item *wh, *tmp, *new; | 80 | struct dev_exception_item *ex, *tmp, *new; |
81 | 81 | ||
82 | list_for_each_entry(wh, orig, list) { | 82 | list_for_each_entry(ex, orig, list) { |
83 | new = kmemdup(wh, sizeof(*wh), GFP_KERNEL); | 83 | new = kmemdup(ex, sizeof(*ex), GFP_KERNEL); |
84 | if (!new) | 84 | if (!new) |
85 | goto free_and_exit; | 85 | goto free_and_exit; |
86 | list_add_tail(&new->list, dest); | 86 | list_add_tail(&new->list, dest); |
@@ -89,9 +89,9 @@ static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig) | |||
89 | return 0; | 89 | return 0; |
90 | 90 | ||
91 | free_and_exit: | 91 | free_and_exit: |
92 | list_for_each_entry_safe(wh, tmp, dest, list) { | 92 | list_for_each_entry_safe(ex, tmp, dest, list) { |
93 | list_del(&wh->list); | 93 | list_del(&ex->list); |
94 | kfree(wh); | 94 | kfree(ex); |
95 | } | 95 | } |
96 | return -ENOMEM; | 96 | return -ENOMEM; |
97 | } | 97 | } |
@@ -99,50 +99,50 @@ free_and_exit: | |||
99 | /* | 99 | /* |
100 | * called under devcgroup_mutex | 100 | * called under devcgroup_mutex |
101 | */ | 101 | */ |
102 | static int dev_whitelist_add(struct dev_cgroup *dev_cgroup, | 102 | static int dev_exception_add(struct dev_cgroup *dev_cgroup, |
103 | struct dev_whitelist_item *wh) | 103 | struct dev_exception_item *ex) |
104 | { | 104 | { |
105 | struct dev_whitelist_item *whcopy, *walk; | 105 | struct dev_exception_item *excopy, *walk; |
106 | 106 | ||
107 | whcopy = kmemdup(wh, sizeof(*wh), GFP_KERNEL); | 107 | excopy = kmemdup(ex, sizeof(*ex), GFP_KERNEL); |
108 | if (!whcopy) | 108 | if (!excopy) |
109 | return -ENOMEM; | 109 | return -ENOMEM; |
110 | 110 | ||
111 | list_for_each_entry(walk, &dev_cgroup->whitelist, list) { | 111 | list_for_each_entry(walk, &dev_cgroup->exceptions, list) { |
112 | if (walk->type != wh->type) | 112 | if (walk->type != ex->type) |
113 | continue; | 113 | continue; |
114 | if (walk->major != wh->major) | 114 | if (walk->major != ex->major) |
115 | continue; | 115 | continue; |
116 | if (walk->minor != wh->minor) | 116 | if (walk->minor != ex->minor) |
117 | continue; | 117 | continue; |
118 | 118 | ||
119 | walk->access |= wh->access; | 119 | walk->access |= ex->access; |
120 | kfree(whcopy); | 120 | kfree(excopy); |
121 | whcopy = NULL; | 121 | excopy = NULL; |
122 | } | 122 | } |
123 | 123 | ||
124 | if (whcopy != NULL) | 124 | if (excopy != NULL) |
125 | list_add_tail_rcu(&whcopy->list, &dev_cgroup->whitelist); | 125 | list_add_tail_rcu(&excopy->list, &dev_cgroup->exceptions); |
126 | return 0; | 126 | return 0; |
127 | } | 127 | } |
128 | 128 | ||
129 | /* | 129 | /* |
130 | * called under devcgroup_mutex | 130 | * called under devcgroup_mutex |
131 | */ | 131 | */ |
132 | static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup, | 132 | static void dev_exception_rm(struct dev_cgroup *dev_cgroup, |
133 | struct dev_whitelist_item *wh) | 133 | struct dev_exception_item *ex) |
134 | { | 134 | { |
135 | struct dev_whitelist_item *walk, *tmp; | 135 | struct dev_exception_item *walk, *tmp; |
136 | 136 | ||
137 | list_for_each_entry_safe(walk, tmp, &dev_cgroup->whitelist, list) { | 137 | list_for_each_entry_safe(walk, tmp, &dev_cgroup->exceptions, list) { |
138 | if (walk->type != wh->type) | 138 | if (walk->type != ex->type) |
139 | continue; | 139 | continue; |
140 | if (walk->major != wh->major) | 140 | if (walk->major != ex->major) |
141 | continue; | 141 | continue; |
142 | if (walk->minor != wh->minor) | 142 | if (walk->minor != ex->minor) |
143 | continue; | 143 | continue; |
144 | 144 | ||
145 | walk->access &= ~wh->access; | 145 | walk->access &= ~ex->access; |
146 | if (!walk->access) { | 146 | if (!walk->access) { |
147 | list_del_rcu(&walk->list); | 147 | list_del_rcu(&walk->list); |
148 | kfree_rcu(walk, rcu); | 148 | kfree_rcu(walk, rcu); |
@@ -151,18 +151,18 @@ static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup, | |||
151 | } | 151 | } |
152 | 152 | ||
153 | /** | 153 | /** |
154 | * dev_whitelist_clean - frees all entries of the whitelist | 154 | * dev_exception_clean - frees all entries of the exception list |
155 | * @dev_cgroup: dev_cgroup with the whitelist to be cleaned | 155 | * @dev_cgroup: dev_cgroup with the exception list to be cleaned |
156 | * | 156 | * |
157 | * called under devcgroup_mutex | 157 | * called under devcgroup_mutex |
158 | */ | 158 | */ |
159 | static void dev_whitelist_clean(struct dev_cgroup *dev_cgroup) | 159 | static void dev_exception_clean(struct dev_cgroup *dev_cgroup) |
160 | { | 160 | { |
161 | struct dev_whitelist_item *wh, *tmp; | 161 | struct dev_exception_item *ex, *tmp; |
162 | 162 | ||
163 | list_for_each_entry_safe(wh, tmp, &dev_cgroup->whitelist, list) { | 163 | list_for_each_entry_safe(ex, tmp, &dev_cgroup->exceptions, list) { |
164 | list_del(&wh->list); | 164 | list_del(&ex->list); |
165 | kfree(wh); | 165 | kfree(ex); |
166 | } | 166 | } |
167 | } | 167 | } |
168 | 168 | ||
@@ -178,7 +178,7 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup) | |||
178 | dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL); | 178 | dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL); |
179 | if (!dev_cgroup) | 179 | if (!dev_cgroup) |
180 | return ERR_PTR(-ENOMEM); | 180 | return ERR_PTR(-ENOMEM); |
181 | INIT_LIST_HEAD(&dev_cgroup->whitelist); | 181 | INIT_LIST_HEAD(&dev_cgroup->exceptions); |
182 | parent_cgroup = cgroup->parent; | 182 | parent_cgroup = cgroup->parent; |
183 | 183 | ||
184 | if (parent_cgroup == NULL) | 184 | if (parent_cgroup == NULL) |
@@ -186,8 +186,8 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup) | |||
186 | else { | 186 | else { |
187 | parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); | 187 | parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); |
188 | mutex_lock(&devcgroup_mutex); | 188 | mutex_lock(&devcgroup_mutex); |
189 | ret = dev_whitelist_copy(&dev_cgroup->whitelist, | 189 | ret = dev_exceptions_copy(&dev_cgroup->exceptions, |
190 | &parent_dev_cgroup->whitelist); | 190 | &parent_dev_cgroup->exceptions); |
191 | dev_cgroup->deny_all = parent_dev_cgroup->deny_all; | 191 | dev_cgroup->deny_all = parent_dev_cgroup->deny_all; |
192 | mutex_unlock(&devcgroup_mutex); | 192 | mutex_unlock(&devcgroup_mutex); |
193 | if (ret) { | 193 | if (ret) { |
@@ -204,7 +204,7 @@ static void devcgroup_destroy(struct cgroup *cgroup) | |||
204 | struct dev_cgroup *dev_cgroup; | 204 | struct dev_cgroup *dev_cgroup; |
205 | 205 | ||
206 | dev_cgroup = cgroup_to_devcgroup(cgroup); | 206 | dev_cgroup = cgroup_to_devcgroup(cgroup); |
207 | dev_whitelist_clean(dev_cgroup); | 207 | dev_exception_clean(dev_cgroup); |
208 | kfree(dev_cgroup); | 208 | kfree(dev_cgroup); |
209 | } | 209 | } |
210 | 210 | ||
@@ -250,7 +250,7 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, | |||
250 | struct seq_file *m) | 250 | struct seq_file *m) |
251 | { | 251 | { |
252 | struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup); | 252 | struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup); |
253 | struct dev_whitelist_item *wh; | 253 | struct dev_exception_item *ex; |
254 | char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN]; | 254 | char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN]; |
255 | 255 | ||
256 | rcu_read_lock(); | 256 | rcu_read_lock(); |
@@ -267,11 +267,11 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, | |||
267 | seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL), | 267 | seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL), |
268 | maj, min, acc); | 268 | maj, min, acc); |
269 | } else { | 269 | } else { |
270 | list_for_each_entry_rcu(wh, &devcgroup->whitelist, list) { | 270 | list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) { |
271 | set_access(acc, wh->access); | 271 | set_access(acc, ex->access); |
272 | set_majmin(maj, wh->major); | 272 | set_majmin(maj, ex->major); |
273 | set_majmin(min, wh->minor); | 273 | set_majmin(min, ex->minor); |
274 | seq_printf(m, "%c %s:%s %s\n", type_to_char(wh->type), | 274 | seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type), |
275 | maj, min, acc); | 275 | maj, min, acc); |
276 | } | 276 | } |
277 | } | 277 | } |
@@ -281,42 +281,42 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, | |||
281 | } | 281 | } |
282 | 282 | ||
283 | /** | 283 | /** |
284 | * may_access_whitelist - verifies if a new rule is part of what is allowed | 284 | * may_access - verifies if a new exception is part of what is allowed |
285 | * by a dev cgroup based on the default policy + | 285 | * by a dev cgroup based on the default policy + |
286 | * exceptions. This is used to make sure a child cgroup | 286 | * exceptions. This is used to make sure a child cgroup |
287 | * won't have more privileges than its parent or to | 287 | * won't have more privileges than its parent or to |
288 | * verify if a certain access is allowed. | 288 | * verify if a certain access is allowed. |
289 | * @dev_cgroup: dev cgroup to be tested against | 289 | * @dev_cgroup: dev cgroup to be tested against |
290 | * @refwh: new rule | 290 | * @refex: new exception |
291 | */ | 291 | */ |
292 | static int may_access_whitelist(struct dev_cgroup *dev_cgroup, | 292 | static int may_access(struct dev_cgroup *dev_cgroup, |
293 | struct dev_whitelist_item *refwh) | 293 | struct dev_exception_item *refex) |
294 | { | 294 | { |
295 | struct dev_whitelist_item *whitem; | 295 | struct dev_exception_item *ex; |
296 | bool match = false; | 296 | bool match = false; |
297 | 297 | ||
298 | list_for_each_entry(whitem, &dev_cgroup->whitelist, list) { | 298 | list_for_each_entry(ex, &dev_cgroup->exceptions, list) { |
299 | if ((refwh->type & DEV_BLOCK) && !(whitem->type & DEV_BLOCK)) | 299 | if ((refex->type & DEV_BLOCK) && !(ex->type & DEV_BLOCK)) |
300 | continue; | 300 | continue; |
301 | if ((refwh->type & DEV_CHAR) && !(whitem->type & DEV_CHAR)) | 301 | if ((refex->type & DEV_CHAR) && !(ex->type & DEV_CHAR)) |
302 | continue; | 302 | continue; |
303 | if (whitem->major != ~0 && whitem->major != refwh->major) | 303 | if (ex->major != ~0 && ex->major != refex->major) |
304 | continue; | 304 | continue; |
305 | if (whitem->minor != ~0 && whitem->minor != refwh->minor) | 305 | if (ex->minor != ~0 && ex->minor != refex->minor) |
306 | continue; | 306 | continue; |
307 | if (refwh->access & (~whitem->access)) | 307 | if (refex->access & (~ex->access)) |
308 | continue; | 308 | continue; |
309 | match = true; | 309 | match = true; |
310 | break; | 310 | break; |
311 | } | 311 | } |
312 | 312 | ||
313 | /* | 313 | /* |
314 | * In two cases we'll consider this new rule valid: | 314 | * In two cases we'll consider this new exception valid: |
315 | * - the dev cgroup has its default policy to allow + exception list: | 315 | * - the dev cgroup has its default policy to allow + exception list: |
316 | * the new rule should *not* match any of the exceptions | 316 | * the new exception should *not* match any of the exceptions |
317 | * (!deny_all, !match) | 317 | * (!deny_all, !match) |
318 | * - the dev cgroup has its default policy to deny + exception list: | 318 | * - the dev cgroup has its default policy to deny + exception list: |
319 | * the new rule *should* match the exceptions | 319 | * the new exception *should* match the exceptions |
320 | * (deny_all, match) | 320 | * (deny_all, match) |
321 | */ | 321 | */ |
322 | if (dev_cgroup->deny_all == match) | 322 | if (dev_cgroup->deny_all == match) |
@@ -326,11 +326,11 @@ static int may_access_whitelist(struct dev_cgroup *dev_cgroup, | |||
326 | 326 | ||
327 | /* | 327 | /* |
328 | * parent_has_perm: | 328 | * parent_has_perm: |
329 | * when adding a new allow rule to a device whitelist, the rule | 329 | * when adding a new allow rule to a device exception list, the rule |
330 | * must be allowed in the parent device | 330 | * must be allowed in the parent device |
331 | */ | 331 | */ |
332 | static int parent_has_perm(struct dev_cgroup *childcg, | 332 | static int parent_has_perm(struct dev_cgroup *childcg, |
333 | struct dev_whitelist_item *wh) | 333 | struct dev_exception_item *ex) |
334 | { | 334 | { |
335 | struct cgroup *pcg = childcg->css.cgroup->parent; | 335 | struct cgroup *pcg = childcg->css.cgroup->parent; |
336 | struct dev_cgroup *parent; | 336 | struct dev_cgroup *parent; |
@@ -338,17 +338,17 @@ static int parent_has_perm(struct dev_cgroup *childcg, | |||
338 | if (!pcg) | 338 | if (!pcg) |
339 | return 1; | 339 | return 1; |
340 | parent = cgroup_to_devcgroup(pcg); | 340 | parent = cgroup_to_devcgroup(pcg); |
341 | return may_access_whitelist(parent, wh); | 341 | return may_access(parent, ex); |
342 | } | 342 | } |
343 | 343 | ||
344 | /* | 344 | /* |
345 | * Modify the whitelist using allow/deny rules. | 345 | * Modify the exception list using allow/deny rules. |
346 | * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD | 346 | * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD |
347 | * so we can give a container CAP_MKNOD to let it create devices but not | 347 | * so we can give a container CAP_MKNOD to let it create devices but not |
348 | * modify the whitelist. | 348 | * modify the exception list. |
349 | * It seems likely we'll want to add a CAP_CONTAINER capability to allow | 349 | * It seems likely we'll want to add a CAP_CONTAINER capability to allow |
350 | * us to also grant CAP_SYS_ADMIN to containers without giving away the | 350 | * us to also grant CAP_SYS_ADMIN to containers without giving away the |
351 | * device whitelist controls, but for now we'll stick with CAP_SYS_ADMIN | 351 | * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN |
352 | * | 352 | * |
353 | * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting | 353 | * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting |
354 | * new access is only allowed if you're in the top-level cgroup, or your | 354 | * new access is only allowed if you're in the top-level cgroup, or your |
@@ -360,25 +360,25 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
360 | const char *b; | 360 | const char *b; |
361 | char *endp; | 361 | char *endp; |
362 | int count; | 362 | int count; |
363 | struct dev_whitelist_item wh; | 363 | struct dev_exception_item ex; |
364 | 364 | ||
365 | if (!capable(CAP_SYS_ADMIN)) | 365 | if (!capable(CAP_SYS_ADMIN)) |
366 | return -EPERM; | 366 | return -EPERM; |
367 | 367 | ||
368 | memset(&wh, 0, sizeof(wh)); | 368 | memset(&ex, 0, sizeof(ex)); |
369 | b = buffer; | 369 | b = buffer; |
370 | 370 | ||
371 | switch (*b) { | 371 | switch (*b) { |
372 | case 'a': | 372 | case 'a': |
373 | switch (filetype) { | 373 | switch (filetype) { |
374 | case DEVCG_ALLOW: | 374 | case DEVCG_ALLOW: |
375 | if (!parent_has_perm(devcgroup, &wh)) | 375 | if (!parent_has_perm(devcgroup, &ex)) |
376 | return -EPERM; | 376 | return -EPERM; |
377 | dev_whitelist_clean(devcgroup); | 377 | dev_exception_clean(devcgroup); |
378 | devcgroup->deny_all = false; | 378 | devcgroup->deny_all = false; |
379 | break; | 379 | break; |
380 | case DEVCG_DENY: | 380 | case DEVCG_DENY: |
381 | dev_whitelist_clean(devcgroup); | 381 | dev_exception_clean(devcgroup); |
382 | devcgroup->deny_all = true; | 382 | devcgroup->deny_all = true; |
383 | break; | 383 | break; |
384 | default: | 384 | default: |
@@ -386,10 +386,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
386 | } | 386 | } |
387 | return 0; | 387 | return 0; |
388 | case 'b': | 388 | case 'b': |
389 | wh.type = DEV_BLOCK; | 389 | ex.type = DEV_BLOCK; |
390 | break; | 390 | break; |
391 | case 'c': | 391 | case 'c': |
392 | wh.type = DEV_CHAR; | 392 | ex.type = DEV_CHAR; |
393 | break; | 393 | break; |
394 | default: | 394 | default: |
395 | return -EINVAL; | 395 | return -EINVAL; |
@@ -399,10 +399,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
399 | return -EINVAL; | 399 | return -EINVAL; |
400 | b++; | 400 | b++; |
401 | if (*b == '*') { | 401 | if (*b == '*') { |
402 | wh.major = ~0; | 402 | ex.major = ~0; |
403 | b++; | 403 | b++; |
404 | } else if (isdigit(*b)) { | 404 | } else if (isdigit(*b)) { |
405 | wh.major = simple_strtoul(b, &endp, 10); | 405 | ex.major = simple_strtoul(b, &endp, 10); |
406 | b = endp; | 406 | b = endp; |
407 | } else { | 407 | } else { |
408 | return -EINVAL; | 408 | return -EINVAL; |
@@ -413,10 +413,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
413 | 413 | ||
414 | /* read minor */ | 414 | /* read minor */ |
415 | if (*b == '*') { | 415 | if (*b == '*') { |
416 | wh.minor = ~0; | 416 | ex.minor = ~0; |
417 | b++; | 417 | b++; |
418 | } else if (isdigit(*b)) { | 418 | } else if (isdigit(*b)) { |
419 | wh.minor = simple_strtoul(b, &endp, 10); | 419 | ex.minor = simple_strtoul(b, &endp, 10); |
420 | b = endp; | 420 | b = endp; |
421 | } else { | 421 | } else { |
422 | return -EINVAL; | 422 | return -EINVAL; |
@@ -426,13 +426,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
426 | for (b++, count = 0; count < 3; count++, b++) { | 426 | for (b++, count = 0; count < 3; count++, b++) { |
427 | switch (*b) { | 427 | switch (*b) { |
428 | case 'r': | 428 | case 'r': |
429 | wh.access |= ACC_READ; | 429 | ex.access |= ACC_READ; |
430 | break; | 430 | break; |
431 | case 'w': | 431 | case 'w': |
432 | wh.access |= ACC_WRITE; | 432 | ex.access |= ACC_WRITE; |
433 | break; | 433 | break; |
434 | case 'm': | 434 | case 'm': |
435 | wh.access |= ACC_MKNOD; | 435 | ex.access |= ACC_MKNOD; |
436 | break; | 436 | break; |
437 | case '\n': | 437 | case '\n': |
438 | case '\0': | 438 | case '\0': |
@@ -445,7 +445,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
445 | 445 | ||
446 | switch (filetype) { | 446 | switch (filetype) { |
447 | case DEVCG_ALLOW: | 447 | case DEVCG_ALLOW: |
448 | if (!parent_has_perm(devcgroup, &wh)) | 448 | if (!parent_has_perm(devcgroup, &ex)) |
449 | return -EPERM; | 449 | return -EPERM; |
450 | /* | 450 | /* |
451 | * If the default policy is to allow by default, try to remove | 451 | * If the default policy is to allow by default, try to remove |
@@ -453,10 +453,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
453 | * don't want to break compatibility | 453 | * don't want to break compatibility |
454 | */ | 454 | */ |
455 | if (devcgroup->deny_all == false) { | 455 | if (devcgroup->deny_all == false) { |
456 | dev_whitelist_rm(devcgroup, &wh); | 456 | dev_exception_rm(devcgroup, &ex); |
457 | return 0; | 457 | return 0; |
458 | } | 458 | } |
459 | return dev_whitelist_add(devcgroup, &wh); | 459 | return dev_exception_add(devcgroup, &ex); |
460 | case DEVCG_DENY: | 460 | case DEVCG_DENY: |
461 | /* | 461 | /* |
462 | * If the default policy is to deny by default, try to remove | 462 | * If the default policy is to deny by default, try to remove |
@@ -464,10 +464,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
464 | * don't want to break compatibility | 464 | * don't want to break compatibility |
465 | */ | 465 | */ |
466 | if (devcgroup->deny_all == true) { | 466 | if (devcgroup->deny_all == true) { |
467 | dev_whitelist_rm(devcgroup, &wh); | 467 | dev_exception_rm(devcgroup, &ex); |
468 | return 0; | 468 | return 0; |
469 | } | 469 | } |
470 | return dev_whitelist_add(devcgroup, &wh); | 470 | return dev_exception_add(devcgroup, &ex); |
471 | default: | 471 | default: |
472 | return -EINVAL; | 472 | return -EINVAL; |
473 | } | 473 | } |
@@ -537,17 +537,17 @@ static int __devcgroup_check_permission(struct dev_cgroup *dev_cgroup, | |||
537 | short type, u32 major, u32 minor, | 537 | short type, u32 major, u32 minor, |
538 | short access) | 538 | short access) |
539 | { | 539 | { |
540 | struct dev_whitelist_item wh; | 540 | struct dev_exception_item ex; |
541 | int rc; | 541 | int rc; |
542 | 542 | ||
543 | memset(&wh, 0, sizeof(wh)); | 543 | memset(&ex, 0, sizeof(ex)); |
544 | wh.type = type; | 544 | ex.type = type; |
545 | wh.major = major; | 545 | ex.major = major; |
546 | wh.minor = minor; | 546 | ex.minor = minor; |
547 | wh.access = access; | 547 | ex.access = access; |
548 | 548 | ||
549 | rcu_read_lock(); | 549 | rcu_read_lock(); |
550 | rc = may_access_whitelist(dev_cgroup, &wh); | 550 | rc = may_access(dev_cgroup, &ex); |
551 | rcu_read_unlock(); | 551 | rcu_read_unlock(); |
552 | 552 | ||
553 | if (!rc) | 553 | if (!rc) |