diff options
-rw-r--r-- | security/device_cgroup.c | 33 |
1 files changed, 16 insertions, 17 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index b9048dc46b1a..6b1266dd92bb 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
@@ -306,17 +306,17 @@ static int devcgroup_seq_show(struct seq_file *m, void *v) | |||
306 | } | 306 | } |
307 | 307 | ||
308 | /** | 308 | /** |
309 | * match_exception - iterates the exception list trying to match a rule | 309 | * match_exception - iterates the exception list trying to find a complete match |
310 | * based on type, major, minor and access type. It is | ||
311 | * considered a match if an exception is found that | ||
312 | * will contain the entire range of provided parameters. | ||
313 | * @exceptions: list of exceptions | 310 | * @exceptions: list of exceptions |
314 | * @type: device type (DEV_BLOCK or DEV_CHAR) | 311 | * @type: device type (DEV_BLOCK or DEV_CHAR) |
315 | * @major: device file major number, ~0 to match all | 312 | * @major: device file major number, ~0 to match all |
316 | * @minor: device file minor number, ~0 to match all | 313 | * @minor: device file minor number, ~0 to match all |
317 | * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD) | 314 | * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD) |
318 | * | 315 | * |
319 | * returns: true in case it matches an exception completely | 316 | * It is considered a complete match if an exception is found that will |
317 | * contain the entire range of provided parameters. | ||
318 | * | ||
319 | * Return: true in case it matches an exception completely | ||
320 | */ | 320 | */ |
321 | static bool match_exception(struct list_head *exceptions, short type, | 321 | static bool match_exception(struct list_head *exceptions, short type, |
322 | u32 major, u32 minor, short access) | 322 | u32 major, u32 minor, short access) |
@@ -341,20 +341,19 @@ static bool match_exception(struct list_head *exceptions, short type, | |||
341 | } | 341 | } |
342 | 342 | ||
343 | /** | 343 | /** |
344 | * match_exception_partial - iterates the exception list trying to match a rule | 344 | * match_exception_partial - iterates the exception list trying to find a partial match |
345 | * based on type, major, minor and access type. It is | ||
346 | * considered a match if an exception's range is | ||
347 | * found to contain *any* of the devices specified by | ||
348 | * provided parameters. This is used to make sure no | ||
349 | * extra access is being granted that is forbidden by | ||
350 | * any of the exception list. | ||
351 | * @exceptions: list of exceptions | 345 | * @exceptions: list of exceptions |
352 | * @type: device type (DEV_BLOCK or DEV_CHAR) | 346 | * @type: device type (DEV_BLOCK or DEV_CHAR) |
353 | * @major: device file major number, ~0 to match all | 347 | * @major: device file major number, ~0 to match all |
354 | * @minor: device file minor number, ~0 to match all | 348 | * @minor: device file minor number, ~0 to match all |
355 | * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD) | 349 | * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD) |
356 | * | 350 | * |
357 | * returns: true in case the provided range mat matches an exception completely | 351 | * It is considered a partial match if an exception's range is found to |
352 | * contain *any* of the devices specified by provided parameters. This is | ||
353 | * used to make sure no extra access is being granted that is forbidden by | ||
354 | * any of the exception list. | ||
355 | * | ||
356 | * Return: true in case the provided range mat matches an exception completely | ||
358 | */ | 357 | */ |
359 | static bool match_exception_partial(struct list_head *exceptions, short type, | 358 | static bool match_exception_partial(struct list_head *exceptions, short type, |
360 | u32 major, u32 minor, short access) | 359 | u32 major, u32 minor, short access) |
@@ -387,13 +386,13 @@ static bool match_exception_partial(struct list_head *exceptions, short type, | |||
387 | } | 386 | } |
388 | 387 | ||
389 | /** | 388 | /** |
390 | * verify_new_ex - verifies if a new exception is part of what is allowed | 389 | * verify_new_ex - verifies if a new exception is allowed by parent cgroup's permissions |
391 | * by a dev cgroup based on the default policy + | ||
392 | * exceptions. This is used to make sure a child cgroup | ||
393 | * won't have more privileges than its parent | ||
394 | * @dev_cgroup: dev cgroup to be tested against | 390 | * @dev_cgroup: dev cgroup to be tested against |
395 | * @refex: new exception | 391 | * @refex: new exception |
396 | * @behavior: behavior of the exception's dev_cgroup | 392 | * @behavior: behavior of the exception's dev_cgroup |
393 | * | ||
394 | * This is used to make sure a child cgroup won't have more privileges | ||
395 | * than its parent | ||
397 | */ | 396 | */ |
398 | static bool verify_new_ex(struct dev_cgroup *dev_cgroup, | 397 | static bool verify_new_ex(struct dev_cgroup *dev_cgroup, |
399 | struct dev_exception_item *refex, | 398 | struct dev_exception_item *refex, |