diff options
| -rw-r--r-- | security/device_cgroup.c | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 46d01fcc0d15..76503df23770 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
| @@ -42,7 +42,10 @@ struct dev_exception_item { | |||
| 42 | struct dev_cgroup { | 42 | struct dev_cgroup { |
| 43 | struct cgroup_subsys_state css; | 43 | struct cgroup_subsys_state css; |
| 44 | struct list_head exceptions; | 44 | struct list_head exceptions; |
| 45 | bool deny_all; | 45 | enum { |
| 46 | DEVCG_DEFAULT_ALLOW, | ||
| 47 | DEVCG_DEFAULT_DENY, | ||
| 48 | } behavior; | ||
| 46 | }; | 49 | }; |
| 47 | 50 | ||
| 48 | static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) | 51 | static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) |
| @@ -182,13 +185,13 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup) | |||
| 182 | parent_cgroup = cgroup->parent; | 185 | parent_cgroup = cgroup->parent; |
| 183 | 186 | ||
| 184 | if (parent_cgroup == NULL) | 187 | if (parent_cgroup == NULL) |
| 185 | dev_cgroup->deny_all = false; | 188 | dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW; |
| 186 | else { | 189 | else { |
| 187 | parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); | 190 | parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); |
| 188 | mutex_lock(&devcgroup_mutex); | 191 | mutex_lock(&devcgroup_mutex); |
| 189 | ret = dev_exceptions_copy(&dev_cgroup->exceptions, | 192 | ret = dev_exceptions_copy(&dev_cgroup->exceptions, |
| 190 | &parent_dev_cgroup->exceptions); | 193 | &parent_dev_cgroup->exceptions); |
| 191 | dev_cgroup->deny_all = parent_dev_cgroup->deny_all; | 194 | dev_cgroup->behavior = parent_dev_cgroup->behavior; |
| 192 | mutex_unlock(&devcgroup_mutex); | 195 | mutex_unlock(&devcgroup_mutex); |
| 193 | if (ret) { | 196 | if (ret) { |
| 194 | kfree(dev_cgroup); | 197 | kfree(dev_cgroup); |
| @@ -260,7 +263,7 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, | |||
| 260 | * - List the exceptions in case the default policy is to deny | 263 | * - List the exceptions in case the default policy is to deny |
| 261 | * This way, the file remains as a "whitelist of devices" | 264 | * This way, the file remains as a "whitelist of devices" |
| 262 | */ | 265 | */ |
| 263 | if (devcgroup->deny_all == false) { | 266 | if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) { |
| 264 | set_access(acc, ACC_MASK); | 267 | set_access(acc, ACC_MASK); |
| 265 | set_majmin(maj, ~0); | 268 | set_majmin(maj, ~0); |
| 266 | set_majmin(min, ~0); | 269 | set_majmin(min, ~0); |
| @@ -314,12 +317,12 @@ static int may_access(struct dev_cgroup *dev_cgroup, | |||
| 314 | * In two cases we'll consider this new exception valid: | 317 | * In two cases we'll consider this new exception valid: |
| 315 | * - the dev cgroup has its default policy to allow + exception list: | 318 | * - the dev cgroup has its default policy to allow + exception list: |
| 316 | * the new exception should *not* match any of the exceptions | 319 | * the new exception should *not* match any of the exceptions |
| 317 | * (!deny_all, !match) | 320 | * (behavior == DEVCG_DEFAULT_ALLOW, !match) |
| 318 | * - the dev cgroup has its default policy to deny + exception list: | 321 | * - the dev cgroup has its default policy to deny + exception list: |
| 319 | * the new exception *should* match the exceptions | 322 | * the new exception *should* match the exceptions |
| 320 | * (deny_all, match) | 323 | * (behavior == DEVCG_DEFAULT_DENY, match) |
| 321 | */ | 324 | */ |
| 322 | if (dev_cgroup->deny_all == match) | 325 | if ((dev_cgroup->behavior == DEVCG_DEFAULT_DENY) == match) |
| 323 | return 1; | 326 | return 1; |
| 324 | return 0; | 327 | return 0; |
| 325 | } | 328 | } |
| @@ -375,11 +378,11 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 375 | if (!parent_has_perm(devcgroup, &ex)) | 378 | if (!parent_has_perm(devcgroup, &ex)) |
| 376 | return -EPERM; | 379 | return -EPERM; |
| 377 | dev_exception_clean(devcgroup); | 380 | dev_exception_clean(devcgroup); |
| 378 | devcgroup->deny_all = false; | 381 | devcgroup->behavior = DEVCG_DEFAULT_ALLOW; |
| 379 | break; | 382 | break; |
| 380 | case DEVCG_DENY: | 383 | case DEVCG_DENY: |
| 381 | dev_exception_clean(devcgroup); | 384 | dev_exception_clean(devcgroup); |
| 382 | devcgroup->deny_all = true; | 385 | devcgroup->behavior = DEVCG_DEFAULT_DENY; |
| 383 | break; | 386 | break; |
| 384 | default: | 387 | default: |
| 385 | return -EINVAL; | 388 | return -EINVAL; |
| @@ -452,7 +455,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 452 | * an matching exception instead. And be silent about it: we | 455 | * an matching exception instead. And be silent about it: we |
| 453 | * don't want to break compatibility | 456 | * don't want to break compatibility |
| 454 | */ | 457 | */ |
| 455 | if (devcgroup->deny_all == false) { | 458 | if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) { |
| 456 | dev_exception_rm(devcgroup, &ex); | 459 | dev_exception_rm(devcgroup, &ex); |
| 457 | return 0; | 460 | return 0; |
| 458 | } | 461 | } |
| @@ -463,7 +466,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 463 | * an matching exception instead. And be silent about it: we | 466 | * an matching exception instead. And be silent about it: we |
| 464 | * don't want to break compatibility | 467 | * don't want to break compatibility |
| 465 | */ | 468 | */ |
| 466 | if (devcgroup->deny_all == true) { | 469 | if (devcgroup->behavior == DEVCG_DEFAULT_DENY) { |
| 467 | dev_exception_rm(devcgroup, &ex); | 470 | dev_exception_rm(devcgroup, &ex); |
| 468 | return 0; | 471 | return 0; |
| 469 | } | 472 | } |