1 files changed, 134 insertions, 98 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 5b36b62e9ff4..91cf803c3431 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -96,7 +96,6 @@ free_and_exit:
        return -ENOMEM;
 }
-/* Stupid prototype - don't bother combining existing entries */
 /*
 * called under devcgroup_mutex
 */
@@ -136,16 +135,13 @@ static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup,
        struct dev_whitelist_item *walk, *tmp;
        list_for_each_entry_safe(walk, tmp, &dev_cgroup->whitelist, list) {
-                if (walk->type == DEV_ALL)
-                        goto remove;
                if (walk->type != wh->type)
                        continue;
-                if (walk->major != ~0 && walk->major != wh->major)
+                if (walk->major != wh->major)
                        continue;
-                if (walk->minor != ~0 && walk->minor != wh->minor)
+                if (walk->minor != wh->minor)
                        continue;
-remove:
                walk->access &= ~wh->access;
                if (!walk->access) {
                        list_del_rcu(&walk->list);
@@ -185,19 +181,9 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup)
        INIT_LIST_HEAD(&dev_cgroup->whitelist);
        parent_cgroup = cgroup->parent;
-        if (parent_cgroup == NULL) {
+        if (parent_cgroup == NULL)
-                struct dev_whitelist_item *wh;
-                wh = kmalloc(sizeof(*wh), GFP_KERNEL);
-                if (!wh) {
-                        kfree(dev_cgroup);
-                        return ERR_PTR(-ENOMEM);
-                }
-                wh->minor = wh->major = ~0;
-                wh->type = DEV_ALL;
-                wh->access = ACC_MASK;
                dev_cgroup->deny_all = false;
-                list_add(&wh->list, &dev_cgroup->whitelist);
+        else {
-        } else {
                parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
                mutex_lock(&devcgroup_mutex);
                ret = dev_whitelist_copy(&dev_cgroup->whitelist,
@@ -268,33 +254,48 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
        char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
        rcu_read_lock();
-        list_for_each_entry_rcu(wh, &devcgroup->whitelist, list) {
+        /*
-                set_access(acc, wh->access);
+         * To preserve the compatibility:
-                set_majmin(maj, wh->major);
+         * - Only show the "all devices" when the default policy is to allow
-                set_majmin(min, wh->minor);
+         * - List the exceptions in case the default policy is to deny
-                seq_printf(m, "%c %s:%s %s\n", type_to_char(wh->type),
+         * This way, the file remains as a "whitelist of devices"
+         */
+        if (devcgroup->deny_all == false) {
+                set_access(acc, ACC_MASK);
+                set_majmin(maj, ~0);
+                set_majmin(min, ~0);
+                seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
                           maj, min, acc);
+        } else {
+                list_for_each_entry_rcu(wh, &devcgroup->whitelist, list) {
+                        set_access(acc, wh->access);
+                        set_majmin(maj, wh->major);
+                        set_majmin(min, wh->minor);
+                        seq_printf(m, "%c %s:%s %s\n", type_to_char(wh->type),
+                                   maj, min, acc);
+                }
        }
        rcu_read_unlock();
        return 0;
 }
-/*
+/**
- * may_access_whitelist:
+ * may_access_whitelist - verifies if a new rule is part of what is allowed
- * does the access granted to dev_cgroup c contain the access
+ *                        by a dev cgroup based on the default policy +
- * requested in whitelist item refwh.
+ *                        exceptions. This is used to make sure a child cgroup
- * return 1 if yes, 0 if no.
+ *                        won't have more privileges than its parent or to
- * call with devcgroup_mutex held
+ *                        verify if a certain access is allowed.
+ * @dev_cgroup: dev cgroup to be tested against
+ * @refwh: new rule
 */
-static int may_access_whitelist(struct dev_cgroup *c,
+static int may_access_whitelist(struct dev_cgroup *dev_cgroup,
-                                       struct dev_whitelist_item *refwh)
+                                struct dev_whitelist_item *refwh)
 {
        struct dev_whitelist_item *whitem;
+        bool match = false;
-        list_for_each_entry(whitem, &c->whitelist, list) {
+        list_for_each_entry(whitem, &dev_cgroup->whitelist, list) {
-                if (whitem->type & DEV_ALL)
-                        return 1;
                if ((refwh->type & DEV_BLOCK) && !(whitem->type & DEV_BLOCK))
                        continue;
                if ((refwh->type & DEV_CHAR) && !(whitem->type & DEV_CHAR))
@@ -305,8 +306,21 @@ static int may_access_whitelist(struct dev_cgroup *c,
                        continue;
                if (refwh->access & (~whitem->access))
                        continue;
-                return 1;
+                match = true;
+                break;
        }
+        /*
+         * In two cases we'll consider this new rule valid:
+         * - the dev cgroup has its default policy to allow + exception list:
+         *   the new rule should *not* match any of the exceptions
+         *   (!deny_all, !match)
+         * - the dev cgroup has its default policy to deny + exception list:
+         *   the new rule *should* match the exceptions
+         *   (deny_all, match)
+         */
+        if (dev_cgroup->deny_all == match)
+                return 1;
        return 0;
 }
@@ -356,11 +370,21 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
        switch (*b) {
        case 'a':
-                wh.type = DEV_ALL;
+                switch (filetype) {
-                wh.access = ACC_MASK;
+                case DEVCG_ALLOW:
-                wh.major = ~0;
+                        if (!parent_has_perm(devcgroup, &wh))
-                wh.minor = ~0;
+                                return -EPERM;
-                goto handle;
+                        dev_whitelist_clean(devcgroup);
+                        devcgroup->deny_all = false;
+                        break;
+                case DEVCG_DENY:
+                        dev_whitelist_clean(devcgroup);
+                        devcgroup->deny_all = true;
+                        break;
+                default:
+                        return -EINVAL;
+                }
+                return 0;
        case 'b':
                wh.type = DEV_BLOCK;
                break;
@@ -419,17 +443,31 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
                }
        }
-handle:
        switch (filetype) {
        case DEVCG_ALLOW:
                if (!parent_has_perm(devcgroup, &wh))
                        return -EPERM;
-                devcgroup->deny_all = false;
+                /*
+                 * If the default policy is to allow by default, try to remove
+                 * an matching exception instead. And be silent about it: we
+                 * don't want to break compatibility
+                 */
+                if (devcgroup->deny_all == false) {
+                        dev_whitelist_rm(devcgroup, &wh);
+                        return 0;
+                }
                return dev_whitelist_add(devcgroup, &wh);
        case DEVCG_DENY:
-                dev_whitelist_rm(devcgroup, &wh);
+                /*
-                devcgroup->deny_all = true;
+                 * If the default policy is to deny by default, try to remove
-                break;
+                 * an matching exception instead. And be silent about it: we
+                 * don't want to break compatibility
+                 */
+                if (devcgroup->deny_all == true) {
+                        dev_whitelist_rm(devcgroup, &wh);
+                        return 0;
+                }
+                return dev_whitelist_add(devcgroup, &wh);
        default:
                return -EINVAL;
        }
@@ -485,73 +523,71 @@ struct cgroup_subsys devices_subsys = {
        .broken_hierarchy = true,
 };
-int __devcgroup_inode_permission(struct inode *inode, int mask)
+/**
+ * __devcgroup_check_permission - checks if an inode operation is permitted
+ * @dev_cgroup: the dev cgroup to be tested against
+ * @type: device type
+ * @major: device major number
+ * @minor: device minor number
+ * @access: combination of ACC_WRITE, ACC_READ and ACC_MKNOD
+ *
+ * returns 0 on success, -EPERM case the operation is not permitted
+ */
+static int __devcgroup_check_permission(struct dev_cgroup *dev_cgroup,
+                                        short type, u32 major, u32 minor,
+                                        short access)
 {
-        struct dev_cgroup *dev_cgroup;
+        struct dev_whitelist_item wh;
-        struct dev_whitelist_item *wh;
+        int rc;
-        rcu_read_lock();
-        dev_cgroup = task_devcgroup(current);
+        memset(&wh, 0, sizeof(wh));
+        wh.type = type;
+        wh.major = major;
+        wh.minor = minor;
+        wh.access = access;
-        list_for_each_entry_rcu(wh, &dev_cgroup->whitelist, list) {
+        rcu_read_lock();
-                if (wh->type & DEV_ALL)
+        rc = may_access_whitelist(dev_cgroup, &wh);
-                        goto found;
+        rcu_read_unlock();
-                if ((wh->type & DEV_BLOCK) && !S_ISBLK(inode->i_mode))
-                        continue;
-                if ((wh->type & DEV_CHAR) && !S_ISCHR(inode->i_mode))
-                        continue;
-                if (wh->major != ~0 && wh->major != imajor(inode))
-                        continue;
-                if (wh->minor != ~0 && wh->minor != iminor(inode))
-                        continue;
-                if ((mask & MAY_WRITE) && !(wh->access & ACC_WRITE))
+        if (!rc)
-                        continue;
+                return -EPERM;
-                if ((mask & MAY_READ) && !(wh->access & ACC_READ))
-                        continue;
-found:
-                rcu_read_unlock();
-                return 0;
-        }
-        rcu_read_unlock();
+        return 0;
+}
-        return -EPERM;
+int __devcgroup_inode_permission(struct inode *inode, int mask)
+{
+        struct dev_cgroup *dev_cgroup = task_devcgroup(current);
+        short type, access = 0;
+        if (S_ISBLK(inode->i_mode))
+                type = DEV_BLOCK;
+        if (S_ISCHR(inode->i_mode))
+                type = DEV_CHAR;
+        if (mask & MAY_WRITE)
+                access |= ACC_WRITE;
+        if (mask & MAY_READ)
+                access |= ACC_READ;
+        return __devcgroup_check_permission(dev_cgroup, type, imajor(inode),
+                                            iminor(inode), access);
 }
 int devcgroup_inode_mknod(int mode, dev_t dev)
 {
-        struct dev_cgroup *dev_cgroup;
+        struct dev_cgroup *dev_cgroup = task_devcgroup(current);
-        struct dev_whitelist_item *wh;
+        short type;
        if (!S_ISBLK(mode) && !S_ISCHR(mode))
                return 0;
-        rcu_read_lock();
+        if (S_ISBLK(mode))
+                type = DEV_BLOCK;
-        dev_cgroup = task_devcgroup(current);
+        else
+                type = DEV_CHAR;
-        list_for_each_entry_rcu(wh, &dev_cgroup->whitelist, list) {
-                if (wh->type & DEV_ALL)
-                        goto found;
-                if ((wh->type & DEV_BLOCK) && !S_ISBLK(mode))
-                        continue;
-                if ((wh->type & DEV_CHAR) && !S_ISCHR(mode))
-                        continue;
-                if (wh->major != ~0 && wh->major != MAJOR(dev))
-                        continue;
-                if (wh->minor != ~0 && wh->minor != MINOR(dev))
-                        continue;
-                if (!(wh->access & ACC_MKNOD))
-                        continue;
-found:
-                rcu_read_unlock();
-                return 0;
-        }
-        rcu_read_unlock();
+        return __devcgroup_check_permission(dev_cgroup, type, MAJOR(dev),
+                                            MINOR(dev), ACC_MKNOD);
-        return -EPERM;
 }

diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 5b36b62e9ff4..91cf803c3431 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c
@@ -96,7 +96,6 @@ free_and_exit:
96	return -ENOMEM;	96	return -ENOMEM;
97	}	97	}
98		98
99	/* Stupid prototype - don't bother combining existing entries */
100	/*	99	/*
101	* called under devcgroup_mutex	100	* called under devcgroup_mutex
102	*/	101	*/
@@ -136,16 +135,13 @@ static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup,
136	struct dev_whitelist_item walk, tmp;	135	struct dev_whitelist_item walk, tmp;
137		136
138	list_for_each_entry_safe(walk, tmp, &dev_cgroup->whitelist, list) {	137	list_for_each_entry_safe(walk, tmp, &dev_cgroup->whitelist, list) {
139	if (walk->type == DEV_ALL)
140	goto remove;
141	if (walk->type != wh->type)	138	if (walk->type != wh->type)
142	continue;	139	continue;
143	if (walk->major != ~0 && walk->major != wh->major)	140	if (walk->major != wh->major)
144	continue;	141	continue;
145	if (walk->minor != ~0 && walk->minor != wh->minor)	142	if (walk->minor != wh->minor)
146	continue;	143	continue;
147		144
148	remove:
149	walk->access &= ~wh->access;	145	walk->access &= ~wh->access;
150	if (!walk->access) {	146	if (!walk->access) {
151	list_del_rcu(&walk->list);	147	list_del_rcu(&walk->list);
@@ -185,19 +181,9 @@ static struct cgroup_subsys_state devcgroup_create(struct cgroup cgroup)
185	INIT_LIST_HEAD(&dev_cgroup->whitelist);	181	INIT_LIST_HEAD(&dev_cgroup->whitelist);
186	parent_cgroup = cgroup->parent;	182	parent_cgroup = cgroup->parent;
187		183
188	if (parent_cgroup == NULL) {	184	if (parent_cgroup == NULL)
189	struct dev_whitelist_item *wh;
190	wh = kmalloc(sizeof(*wh), GFP_KERNEL);
191	if (!wh) {
192	kfree(dev_cgroup);
193	return ERR_PTR(-ENOMEM);
194	}
195	wh->minor = wh->major = ~0;
196	wh->type = DEV_ALL;
197	wh->access = ACC_MASK;
198	dev_cgroup->deny_all = false;	185	dev_cgroup->deny_all = false;
199	list_add(&wh->list, &dev_cgroup->whitelist);	186	else {
200	} else {
201	parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);	187	parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
202	mutex_lock(&devcgroup_mutex);	188	mutex_lock(&devcgroup_mutex);
203	ret = dev_whitelist_copy(&dev_cgroup->whitelist,	189	ret = dev_whitelist_copy(&dev_cgroup->whitelist,
@@ -268,33 +254,48 @@ static int devcgroup_seq_read(struct cgroup cgroup, struct cftype cft,
268	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];	254	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
269		255
270	rcu_read_lock();	256	rcu_read_lock();
271	list_for_each_entry_rcu(wh, &devcgroup->whitelist, list) {	257	/*
272	set_access(acc, wh->access);	258	* To preserve the compatibility:
273	set_majmin(maj, wh->major);	259	* - Only show the "all devices" when the default policy is to allow
274	set_majmin(min, wh->minor);	260	* - List the exceptions in case the default policy is to deny
275	seq_printf(m, "%c %s:%s %s\n", type_to_char(wh->type),	261	* This way, the file remains as a "whitelist of devices"
		262	*/
		263	if (devcgroup->deny_all == false) {
		264	set_access(acc, ACC_MASK);
		265	set_majmin(maj, ~0);
		266	set_majmin(min, ~0);
		267	seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
276	maj, min, acc);	268	maj, min, acc);
		269	} else {
		270	list_for_each_entry_rcu(wh, &devcgroup->whitelist, list) {
		271	set_access(acc, wh->access);
		272	set_majmin(maj, wh->major);
		273	set_majmin(min, wh->minor);
		274	seq_printf(m, "%c %s:%s %s\n", type_to_char(wh->type),
		275	maj, min, acc);
		276	}
277	}	277	}
278	rcu_read_unlock();	278	rcu_read_unlock();
279		279
280	return 0;	280	return 0;
281	}	281	}
282		282
283	/*	283	/**
284	* may_access_whitelist:	284	* may_access_whitelist - verifies if a new rule is part of what is allowed
285	* does the access granted to dev_cgroup c contain the access	285	* by a dev cgroup based on the default policy +
286	* requested in whitelist item refwh.	286	* exceptions. This is used to make sure a child cgroup
287	* return 1 if yes, 0 if no.	287	* won't have more privileges than its parent or to
288	* call with devcgroup_mutex held	288	* verify if a certain access is allowed.
		289	* @dev_cgroup: dev cgroup to be tested against
		290	* @refwh: new rule
289	*/	291	*/
290	static int may_access_whitelist(struct dev_cgroup *c,	292	static int may_access_whitelist(struct dev_cgroup *dev_cgroup,
291	struct dev_whitelist_item *refwh)	293	struct dev_whitelist_item *refwh)
292	{	294	{
293	struct dev_whitelist_item *whitem;	295	struct dev_whitelist_item *whitem;
		296	bool match = false;
294		297
295	list_for_each_entry(whitem, &c->whitelist, list) {	298	list_for_each_entry(whitem, &dev_cgroup->whitelist, list) {
296	if (whitem->type & DEV_ALL)
297	return 1;
298	if ((refwh->type & DEV_BLOCK) && !(whitem->type & DEV_BLOCK))	299	if ((refwh->type & DEV_BLOCK) && !(whitem->type & DEV_BLOCK))
299	continue;	300	continue;
300	if ((refwh->type & DEV_CHAR) && !(whitem->type & DEV_CHAR))	301	if ((refwh->type & DEV_CHAR) && !(whitem->type & DEV_CHAR))
@@ -305,8 +306,21 @@ static int may_access_whitelist(struct dev_cgroup *c,
305	continue;	306	continue;
306	if (refwh->access & (~whitem->access))	307	if (refwh->access & (~whitem->access))
307	continue;	308	continue;
308	return 1;	309	match = true;
		310	break;
309	}	311	}
		312
		313	/*
		314	* In two cases we'll consider this new rule valid:
		315	* - the dev cgroup has its default policy to allow + exception list:
		316	* the new rule should not match any of the exceptions
		317	* (!deny_all, !match)
		318	* - the dev cgroup has its default policy to deny + exception list:
		319	* the new rule should match the exceptions
		320	* (deny_all, match)
		321	*/
		322	if (dev_cgroup->deny_all == match)
		323	return 1;
310	return 0;	324	return 0;
311	}	325	}
312		326
@@ -356,11 +370,21 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
356		370
357	switch (*b) {	371	switch (*b) {
358	case 'a':	372	case 'a':
359	wh.type = DEV_ALL;	373	switch (filetype) {
360	wh.access = ACC_MASK;	374	case DEVCG_ALLOW:
361	wh.major = ~0;	375	if (!parent_has_perm(devcgroup, &wh))
362	wh.minor = ~0;	376	return -EPERM;
363	goto handle;	377	dev_whitelist_clean(devcgroup);
		378	devcgroup->deny_all = false;
		379	break;
		380	case DEVCG_DENY:
		381	dev_whitelist_clean(devcgroup);
		382	devcgroup->deny_all = true;
		383	break;
		384	default:
		385	return -EINVAL;
		386	}
		387	return 0;
364	case 'b':	388	case 'b':
365	wh.type = DEV_BLOCK;	389	wh.type = DEV_BLOCK;
366	break;	390	break;
@@ -419,17 +443,31 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
419	}	443	}
420	}	444	}
421		445
422	handle:
423	switch (filetype) {	446	switch (filetype) {
424	case DEVCG_ALLOW:	447	case DEVCG_ALLOW:
425	if (!parent_has_perm(devcgroup, &wh))	448	if (!parent_has_perm(devcgroup, &wh))
426	return -EPERM;	449	return -EPERM;
427	devcgroup->deny_all = false;	450	/*
		451	* If the default policy is to allow by default, try to remove
		452	* an matching exception instead. And be silent about it: we
		453	* don't want to break compatibility
		454	*/
		455	if (devcgroup->deny_all == false) {
		456	dev_whitelist_rm(devcgroup, &wh);
		457	return 0;
		458	}
428	return dev_whitelist_add(devcgroup, &wh);	459	return dev_whitelist_add(devcgroup, &wh);
429	case DEVCG_DENY:	460	case DEVCG_DENY:
430	dev_whitelist_rm(devcgroup, &wh);	461	/*
431	devcgroup->deny_all = true;	462	* If the default policy is to deny by default, try to remove
432	break;	463	* an matching exception instead. And be silent about it: we
		464	* don't want to break compatibility
		465	*/
		466	if (devcgroup->deny_all == true) {
		467	dev_whitelist_rm(devcgroup, &wh);
		468	return 0;
		469	}
		470	return dev_whitelist_add(devcgroup, &wh);
433	default:	471	default:
434	return -EINVAL;	472	return -EINVAL;
435	}	473	}
@@ -485,73 +523,71 @@ struct cgroup_subsys devices_subsys = {
485	.broken_hierarchy = true,	523	.broken_hierarchy = true,
486	};	524	};
487		525
488	int __devcgroup_inode_permission(struct inode *inode, int mask)	526	/**
		527	* __devcgroup_check_permission - checks if an inode operation is permitted
		528	* @dev_cgroup: the dev cgroup to be tested against
		529	* @type: device type
		530	* @major: device major number
		531	* @minor: device minor number
		532	* @access: combination of ACC_WRITE, ACC_READ and ACC_MKNOD
		533	*
		534	* returns 0 on success, -EPERM case the operation is not permitted
		535	*/
		536	static int __devcgroup_check_permission(struct dev_cgroup *dev_cgroup,
		537	short type, u32 major, u32 minor,
		538	short access)
489	{	539	{
490	struct dev_cgroup *dev_cgroup;	540	struct dev_whitelist_item wh;
491	struct dev_whitelist_item *wh;	541	int rc;
492
493	rcu_read_lock();
494		542
495	dev_cgroup = task_devcgroup(current);	543	memset(&wh, 0, sizeof(wh));
		544	wh.type = type;
		545	wh.major = major;
		546	wh.minor = minor;
		547	wh.access = access;
496		548
497	list_for_each_entry_rcu(wh, &dev_cgroup->whitelist, list) {	549	rcu_read_lock();
498	if (wh->type & DEV_ALL)	550	rc = may_access_whitelist(dev_cgroup, &wh);
499	goto found;	551	rcu_read_unlock();
500	if ((wh->type & DEV_BLOCK) && !S_ISBLK(inode->i_mode))
501	continue;
502	if ((wh->type & DEV_CHAR) && !S_ISCHR(inode->i_mode))
503	continue;
504	if (wh->major != ~0 && wh->major != imajor(inode))
505	continue;
506	if (wh->minor != ~0 && wh->minor != iminor(inode))
507	continue;
508		552
509	if ((mask & MAY_WRITE) && !(wh->access & ACC_WRITE))	553	if (!rc)
510	continue;	554	return -EPERM;
511	if ((mask & MAY_READ) && !(wh->access & ACC_READ))
512	continue;
513	found:
514	rcu_read_unlock();
515	return 0;
516	}
517		555
518	rcu_read_unlock();	556	return 0;
		557	}
519		558
520	return -EPERM;	559	int __devcgroup_inode_permission(struct inode *inode, int mask)
		560	{
		561	struct dev_cgroup *dev_cgroup = task_devcgroup(current);
		562	short type, access = 0;
		563
		564	if (S_ISBLK(inode->i_mode))
		565	type = DEV_BLOCK;
		566	if (S_ISCHR(inode->i_mode))
		567	type = DEV_CHAR;
		568	if (mask & MAY_WRITE)
		569	access \|= ACC_WRITE;
		570	if (mask & MAY_READ)
		571	access \|= ACC_READ;
		572
		573	return __devcgroup_check_permission(dev_cgroup, type, imajor(inode),
		574	iminor(inode), access);
521	}	575	}
522		576
523	int devcgroup_inode_mknod(int mode, dev_t dev)	577	int devcgroup_inode_mknod(int mode, dev_t dev)
524	{	578	{
525	struct dev_cgroup *dev_cgroup;	579	struct dev_cgroup *dev_cgroup = task_devcgroup(current);
526	struct dev_whitelist_item *wh;	580	short type;
527		581
528	if (!S_ISBLK(mode) && !S_ISCHR(mode))	582	if (!S_ISBLK(mode) && !S_ISCHR(mode))
529	return 0;	583	return 0;
530		584
531	rcu_read_lock();	585	if (S_ISBLK(mode))
532		586	type = DEV_BLOCK;
533	dev_cgroup = task_devcgroup(current);	587	else
534		588	type = DEV_CHAR;
535	list_for_each_entry_rcu(wh, &dev_cgroup->whitelist, list) {
536	if (wh->type & DEV_ALL)
537	goto found;
538	if ((wh->type & DEV_BLOCK) && !S_ISBLK(mode))
539	continue;
540	if ((wh->type & DEV_CHAR) && !S_ISCHR(mode))
541	continue;
542	if (wh->major != ~0 && wh->major != MAJOR(dev))
543	continue;
544	if (wh->minor != ~0 && wh->minor != MINOR(dev))
545	continue;
546
547	if (!(wh->access & ACC_MKNOD))
548	continue;
549	found:
550	rcu_read_unlock();
551	return 0;
552	}
553		589
554	rcu_read_unlock();	590	return __devcgroup_check_permission(dev_cgroup, type, MAJOR(dev),
		591	MINOR(dev), ACC_MKNOD);
555		592
556	return -EPERM;
557	}	593	}