aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/device_cgroup.c33
1 files changed, 16 insertions, 17 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index b9048dc46b1a..6b1266dd92bb 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -306,17 +306,17 @@ static int devcgroup_seq_show(struct seq_file *m, void *v)
306} 306}
307 307
308/** 308/**
309 * match_exception - iterates the exception list trying to match a rule 309 * match_exception - iterates the exception list trying to find a complete match
310 * based on type, major, minor and access type. It is
311 * considered a match if an exception is found that
312 * will contain the entire range of provided parameters.
313 * @exceptions: list of exceptions 310 * @exceptions: list of exceptions
314 * @type: device type (DEV_BLOCK or DEV_CHAR) 311 * @type: device type (DEV_BLOCK or DEV_CHAR)
315 * @major: device file major number, ~0 to match all 312 * @major: device file major number, ~0 to match all
316 * @minor: device file minor number, ~0 to match all 313 * @minor: device file minor number, ~0 to match all
317 * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD) 314 * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
318 * 315 *
319 * returns: true in case it matches an exception completely 316 * It is considered a complete match if an exception is found that will
317 * contain the entire range of provided parameters.
318 *
319 * Return: true in case it matches an exception completely
320 */ 320 */
321static bool match_exception(struct list_head *exceptions, short type, 321static bool match_exception(struct list_head *exceptions, short type,
322 u32 major, u32 minor, short access) 322 u32 major, u32 minor, short access)
@@ -341,20 +341,19 @@ static bool match_exception(struct list_head *exceptions, short type,
341} 341}
342 342
343/** 343/**
344 * match_exception_partial - iterates the exception list trying to match a rule 344 * match_exception_partial - iterates the exception list trying to find a partial match
345 * based on type, major, minor and access type. It is
346 * considered a match if an exception's range is
347 * found to contain *any* of the devices specified by
348 * provided parameters. This is used to make sure no
349 * extra access is being granted that is forbidden by
350 * any of the exception list.
351 * @exceptions: list of exceptions 345 * @exceptions: list of exceptions
352 * @type: device type (DEV_BLOCK or DEV_CHAR) 346 * @type: device type (DEV_BLOCK or DEV_CHAR)
353 * @major: device file major number, ~0 to match all 347 * @major: device file major number, ~0 to match all
354 * @minor: device file minor number, ~0 to match all 348 * @minor: device file minor number, ~0 to match all
355 * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD) 349 * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
356 * 350 *
357 * returns: true in case the provided range mat matches an exception completely 351 * It is considered a partial match if an exception's range is found to
352 * contain *any* of the devices specified by provided parameters. This is
353 * used to make sure no extra access is being granted that is forbidden by
354 * any of the exception list.
355 *
356 * Return: true in case the provided range mat matches an exception completely
358 */ 357 */
359static bool match_exception_partial(struct list_head *exceptions, short type, 358static bool match_exception_partial(struct list_head *exceptions, short type,
360 u32 major, u32 minor, short access) 359 u32 major, u32 minor, short access)
@@ -387,13 +386,13 @@ static bool match_exception_partial(struct list_head *exceptions, short type,
387} 386}
388 387
389/** 388/**
390 * verify_new_ex - verifies if a new exception is part of what is allowed 389 * verify_new_ex - verifies if a new exception is allowed by parent cgroup's permissions
391 * by a dev cgroup based on the default policy +
392 * exceptions. This is used to make sure a child cgroup
393 * won't have more privileges than its parent
394 * @dev_cgroup: dev cgroup to be tested against 390 * @dev_cgroup: dev cgroup to be tested against
395 * @refex: new exception 391 * @refex: new exception
396 * @behavior: behavior of the exception's dev_cgroup 392 * @behavior: behavior of the exception's dev_cgroup
393 *
394 * This is used to make sure a child cgroup won't have more privileges
395 * than its parent
397 */ 396 */
398static bool verify_new_ex(struct dev_cgroup *dev_cgroup, 397static bool verify_new_ex(struct dev_cgroup *dev_cgroup,
399 struct dev_exception_item *refex, 398 struct dev_exception_item *refex,