diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/lsm.c | 2 | ||||
| -rw-r--r-- | security/device_cgroup.c | 65 |
2 files changed, 28 insertions, 39 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 2e2a0dd4a73f..e3a704c75ef6 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
| @@ -666,6 +666,7 @@ static int param_set_aabool(const char *val, const struct kernel_param *kp); | |||
| 666 | static int param_get_aabool(char *buffer, const struct kernel_param *kp); | 666 | static int param_get_aabool(char *buffer, const struct kernel_param *kp); |
| 667 | #define param_check_aabool param_check_bool | 667 | #define param_check_aabool param_check_bool |
| 668 | static struct kernel_param_ops param_ops_aabool = { | 668 | static struct kernel_param_ops param_ops_aabool = { |
| 669 | .flags = KERNEL_PARAM_FL_NOARG, | ||
| 669 | .set = param_set_aabool, | 670 | .set = param_set_aabool, |
| 670 | .get = param_get_aabool | 671 | .get = param_get_aabool |
| 671 | }; | 672 | }; |
| @@ -682,6 +683,7 @@ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp | |||
| 682 | static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); | 683 | static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); |
| 683 | #define param_check_aalockpolicy param_check_bool | 684 | #define param_check_aalockpolicy param_check_bool |
| 684 | static struct kernel_param_ops param_ops_aalockpolicy = { | 685 | static struct kernel_param_ops param_ops_aalockpolicy = { |
| 686 | .flags = KERNEL_PARAM_FL_NOARG, | ||
| 685 | .set = param_set_aalockpolicy, | 687 | .set = param_set_aalockpolicy, |
| 686 | .get = param_get_aalockpolicy | 688 | .get = param_get_aalockpolicy |
| 687 | }; | 689 | }; |
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index e8aad69f0d69..c123628d3f84 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
| @@ -53,22 +53,17 @@ struct dev_cgroup { | |||
| 53 | 53 | ||
| 54 | static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) | 54 | static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) |
| 55 | { | 55 | { |
| 56 | return container_of(s, struct dev_cgroup, css); | 56 | return s ? container_of(s, struct dev_cgroup, css) : NULL; |
| 57 | } | ||
| 58 | |||
| 59 | static inline struct dev_cgroup *cgroup_to_devcgroup(struct cgroup *cgroup) | ||
| 60 | { | ||
| 61 | return css_to_devcgroup(cgroup_subsys_state(cgroup, devices_subsys_id)); | ||
| 62 | } | 57 | } |
| 63 | 58 | ||
| 64 | static inline struct dev_cgroup *task_devcgroup(struct task_struct *task) | 59 | static inline struct dev_cgroup *task_devcgroup(struct task_struct *task) |
| 65 | { | 60 | { |
| 66 | return css_to_devcgroup(task_subsys_state(task, devices_subsys_id)); | 61 | return css_to_devcgroup(task_css(task, devices_subsys_id)); |
| 67 | } | 62 | } |
| 68 | 63 | ||
| 69 | struct cgroup_subsys devices_subsys; | 64 | struct cgroup_subsys devices_subsys; |
| 70 | 65 | ||
| 71 | static int devcgroup_can_attach(struct cgroup *new_cgrp, | 66 | static int devcgroup_can_attach(struct cgroup_subsys_state *new_css, |
| 72 | struct cgroup_taskset *set) | 67 | struct cgroup_taskset *set) |
| 73 | { | 68 | { |
| 74 | struct task_struct *task = cgroup_taskset_first(set); | 69 | struct task_struct *task = cgroup_taskset_first(set); |
| @@ -193,18 +188,16 @@ static inline bool is_devcg_online(const struct dev_cgroup *devcg) | |||
| 193 | /** | 188 | /** |
| 194 | * devcgroup_online - initializes devcgroup's behavior and exceptions based on | 189 | * devcgroup_online - initializes devcgroup's behavior and exceptions based on |
| 195 | * parent's | 190 | * parent's |
| 196 | * @cgroup: cgroup getting online | 191 | * @css: css getting online |
| 197 | * returns 0 in case of success, error code otherwise | 192 | * returns 0 in case of success, error code otherwise |
| 198 | */ | 193 | */ |
| 199 | static int devcgroup_online(struct cgroup *cgroup) | 194 | static int devcgroup_online(struct cgroup_subsys_state *css) |
| 200 | { | 195 | { |
| 201 | struct dev_cgroup *dev_cgroup, *parent_dev_cgroup = NULL; | 196 | struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); |
| 197 | struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css_parent(css)); | ||
| 202 | int ret = 0; | 198 | int ret = 0; |
| 203 | 199 | ||
| 204 | mutex_lock(&devcgroup_mutex); | 200 | mutex_lock(&devcgroup_mutex); |
| 205 | dev_cgroup = cgroup_to_devcgroup(cgroup); | ||
| 206 | if (cgroup->parent) | ||
| 207 | parent_dev_cgroup = cgroup_to_devcgroup(cgroup->parent); | ||
| 208 | 201 | ||
| 209 | if (parent_dev_cgroup == NULL) | 202 | if (parent_dev_cgroup == NULL) |
| 210 | dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW; | 203 | dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW; |
| @@ -219,9 +212,9 @@ static int devcgroup_online(struct cgroup *cgroup) | |||
| 219 | return ret; | 212 | return ret; |
| 220 | } | 213 | } |
| 221 | 214 | ||
| 222 | static void devcgroup_offline(struct cgroup *cgroup) | 215 | static void devcgroup_offline(struct cgroup_subsys_state *css) |
| 223 | { | 216 | { |
| 224 | struct dev_cgroup *dev_cgroup = cgroup_to_devcgroup(cgroup); | 217 | struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); |
| 225 | 218 | ||
| 226 | mutex_lock(&devcgroup_mutex); | 219 | mutex_lock(&devcgroup_mutex); |
| 227 | dev_cgroup->behavior = DEVCG_DEFAULT_NONE; | 220 | dev_cgroup->behavior = DEVCG_DEFAULT_NONE; |
| @@ -231,7 +224,8 @@ static void devcgroup_offline(struct cgroup *cgroup) | |||
| 231 | /* | 224 | /* |
| 232 | * called from kernel/cgroup.c with cgroup_lock() held. | 225 | * called from kernel/cgroup.c with cgroup_lock() held. |
| 233 | */ | 226 | */ |
| 234 | static struct cgroup_subsys_state *devcgroup_css_alloc(struct cgroup *cgroup) | 227 | static struct cgroup_subsys_state * |
| 228 | devcgroup_css_alloc(struct cgroup_subsys_state *parent_css) | ||
| 235 | { | 229 | { |
| 236 | struct dev_cgroup *dev_cgroup; | 230 | struct dev_cgroup *dev_cgroup; |
| 237 | 231 | ||
| @@ -244,11 +238,10 @@ static struct cgroup_subsys_state *devcgroup_css_alloc(struct cgroup *cgroup) | |||
| 244 | return &dev_cgroup->css; | 238 | return &dev_cgroup->css; |
| 245 | } | 239 | } |
| 246 | 240 | ||
| 247 | static void devcgroup_css_free(struct cgroup *cgroup) | 241 | static void devcgroup_css_free(struct cgroup_subsys_state *css) |
| 248 | { | 242 | { |
| 249 | struct dev_cgroup *dev_cgroup; | 243 | struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); |
| 250 | 244 | ||
| 251 | dev_cgroup = cgroup_to_devcgroup(cgroup); | ||
| 252 | __dev_exception_clean(dev_cgroup); | 245 | __dev_exception_clean(dev_cgroup); |
| 253 | kfree(dev_cgroup); | 246 | kfree(dev_cgroup); |
| 254 | } | 247 | } |
| @@ -291,10 +284,10 @@ static void set_majmin(char *str, unsigned m) | |||
| 291 | sprintf(str, "%u", m); | 284 | sprintf(str, "%u", m); |
| 292 | } | 285 | } |
| 293 | 286 | ||
| 294 | static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, | 287 | static int devcgroup_seq_read(struct cgroup_subsys_state *css, |
| 295 | struct seq_file *m) | 288 | struct cftype *cft, struct seq_file *m) |
| 296 | { | 289 | { |
| 297 | struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup); | 290 | struct dev_cgroup *devcgroup = css_to_devcgroup(css); |
| 298 | struct dev_exception_item *ex; | 291 | struct dev_exception_item *ex; |
| 299 | char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN]; | 292 | char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN]; |
| 300 | 293 | ||
| @@ -394,12 +387,10 @@ static bool may_access(struct dev_cgroup *dev_cgroup, | |||
| 394 | static int parent_has_perm(struct dev_cgroup *childcg, | 387 | static int parent_has_perm(struct dev_cgroup *childcg, |
| 395 | struct dev_exception_item *ex) | 388 | struct dev_exception_item *ex) |
| 396 | { | 389 | { |
| 397 | struct cgroup *pcg = childcg->css.cgroup->parent; | 390 | struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css)); |
| 398 | struct dev_cgroup *parent; | ||
| 399 | 391 | ||
| 400 | if (!pcg) | 392 | if (!parent) |
| 401 | return 1; | 393 | return 1; |
| 402 | parent = cgroup_to_devcgroup(pcg); | ||
| 403 | return may_access(parent, ex, childcg->behavior); | 394 | return may_access(parent, ex, childcg->behavior); |
| 404 | } | 395 | } |
| 405 | 396 | ||
| @@ -451,13 +442,13 @@ static void revalidate_active_exceptions(struct dev_cgroup *devcg) | |||
| 451 | static int propagate_exception(struct dev_cgroup *devcg_root, | 442 | static int propagate_exception(struct dev_cgroup *devcg_root, |
| 452 | struct dev_exception_item *ex) | 443 | struct dev_exception_item *ex) |
| 453 | { | 444 | { |
| 454 | struct cgroup *root = devcg_root->css.cgroup, *pos; | 445 | struct cgroup_subsys_state *pos; |
| 455 | int rc = 0; | 446 | int rc = 0; |
| 456 | 447 | ||
| 457 | rcu_read_lock(); | 448 | rcu_read_lock(); |
| 458 | 449 | ||
| 459 | cgroup_for_each_descendant_pre(pos, root) { | 450 | css_for_each_descendant_pre(pos, &devcg_root->css) { |
| 460 | struct dev_cgroup *devcg = cgroup_to_devcgroup(pos); | 451 | struct dev_cgroup *devcg = css_to_devcgroup(pos); |
| 461 | 452 | ||
| 462 | /* | 453 | /* |
| 463 | * Because devcgroup_mutex is held, no devcg will become | 454 | * Because devcgroup_mutex is held, no devcg will become |
| @@ -465,7 +456,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root, | |||
| 465 | * methods), and online ones are safe to access outside RCU | 456 | * methods), and online ones are safe to access outside RCU |
| 466 | * read lock without bumping refcnt. | 457 | * read lock without bumping refcnt. |
| 467 | */ | 458 | */ |
| 468 | if (!is_devcg_online(devcg)) | 459 | if (pos == &devcg_root->css || !is_devcg_online(devcg)) |
| 469 | continue; | 460 | continue; |
| 470 | 461 | ||
| 471 | rcu_read_unlock(); | 462 | rcu_read_unlock(); |
| @@ -524,15 +515,11 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 524 | char temp[12]; /* 11 + 1 characters needed for a u32 */ | 515 | char temp[12]; /* 11 + 1 characters needed for a u32 */ |
| 525 | int count, rc = 0; | 516 | int count, rc = 0; |
| 526 | struct dev_exception_item ex; | 517 | struct dev_exception_item ex; |
| 527 | struct cgroup *p = devcgroup->css.cgroup; | 518 | struct dev_cgroup *parent = css_to_devcgroup(css_parent(&devcgroup->css)); |
| 528 | struct dev_cgroup *parent = NULL; | ||
| 529 | 519 | ||
| 530 | if (!capable(CAP_SYS_ADMIN)) | 520 | if (!capable(CAP_SYS_ADMIN)) |
| 531 | return -EPERM; | 521 | return -EPERM; |
| 532 | 522 | ||
| 533 | if (p->parent) | ||
| 534 | parent = cgroup_to_devcgroup(p->parent); | ||
| 535 | |||
| 536 | memset(&ex, 0, sizeof(ex)); | 523 | memset(&ex, 0, sizeof(ex)); |
| 537 | b = buffer; | 524 | b = buffer; |
| 538 | 525 | ||
| @@ -677,13 +664,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 677 | return rc; | 664 | return rc; |
| 678 | } | 665 | } |
| 679 | 666 | ||
| 680 | static int devcgroup_access_write(struct cgroup *cgrp, struct cftype *cft, | 667 | static int devcgroup_access_write(struct cgroup_subsys_state *css, |
| 681 | const char *buffer) | 668 | struct cftype *cft, const char *buffer) |
| 682 | { | 669 | { |
| 683 | int retval; | 670 | int retval; |
| 684 | 671 | ||
| 685 | mutex_lock(&devcgroup_mutex); | 672 | mutex_lock(&devcgroup_mutex); |
| 686 | retval = devcgroup_update_access(cgroup_to_devcgroup(cgrp), | 673 | retval = devcgroup_update_access(css_to_devcgroup(css), |
| 687 | cft->private, buffer); | 674 | cft->private, buffer); |
| 688 | mutex_unlock(&devcgroup_mutex); | 675 | mutex_unlock(&devcgroup_mutex); |
| 689 | return retval; | 676 | return retval; |