1 files changed, 9 insertions, 0 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 442204cc22d9..4b877a92a7ea 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -457,6 +457,15 @@ struct cgroup_subsys devices_subsys = {
        .destroy = devcgroup_destroy,
        .subsys_id = devices_subsys_id,
        .base_cftypes = dev_cgroup_files,
+        /*
+         * While devices cgroup has the rudimentary hierarchy support which
+         * checks the parent's restriction, it doesn't properly propagates
+         * config changes in ancestors to their descendents.  A child
+         * should only be allowed to add more restrictions to the parent's
+         * configuration.  Fix it and remove the following.
+         */
+        .broken_hierarchy = true,
 };
 int __devcgroup_inode_permission(struct inode *inode, int mask)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 442204cc22d9..4b877a92a7ea 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c
@@ -457,6 +457,15 @@ struct cgroup_subsys devices_subsys = {
457	.destroy = devcgroup_destroy,	457	.destroy = devcgroup_destroy,
458	.subsys_id = devices_subsys_id,	458	.subsys_id = devices_subsys_id,
459	.base_cftypes = dev_cgroup_files,	459	.base_cftypes = dev_cgroup_files,
		460
		461	/*
		462	* While devices cgroup has the rudimentary hierarchy support which
		463	* checks the parent's restriction, it doesn't properly propagates
		464	* config changes in ancestors to their descendents. A child
		465	* should only be allowed to add more restrictions to the parent's
		466	* configuration. Fix it and remove the following.
		467	*/
		468	.broken_hierarchy = true,
460	};	469	};
461		470
462	int __devcgroup_inode_permission(struct inode *inode, int mask)	471	int __devcgroup_inode_permission(struct inode *inode, int mask)