device_cgroup: add "deny_all" in dev_cgroup structure

deny_all will determine if the default policy is to deny all device access unless for the ones in the exception list. This variable will be used in the next patches to convert device_cgroup internally into a default policy + rules. Signed-off-by: Aristeu Rozanski <aris@redhat.com> Cc: Tejun Heo <tj@kernel.org> Cc: Li Zefan <lizefan@huawei.com> Cc: James Morris <jmorris@namei.org> Cc: Pavel Emelyanov <xemul@openvz.org> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

device_cgroup: add "deny_all" in dev_cgroup structure
deny_all will determine if the default policy is to deny all device access unless for the ones in the exception list. This variable will be used in the next patches to convert device_cgroup internally into a default policy + rules. Signed-off-by: Aristeu Rozanski <aris@redhat.com> Cc: Tejun Heo <tj@kernel.org> Cc: Li Zefan <lizefan@huawei.com> Cc: James Morris <jmorris@namei.org> Cc: Pavel Emelyanov <xemul@openvz.org> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Aristeu Rozanski · Linus Torvalds
1 parent 12ae677933
Showing 1 changed file with 5 additions and 0 deletions Side-by-side Diff
security/device_cgroup.c
@@ -42,6 +42,7 @@
 struct dev_cgroup {
 	struct cgroup_subsys_state css;
 	struct list_head whitelist;
+	bool deny_all;
 };
  
 static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
  
@@ -178,12 +179,14 @@
 		wh->minor = wh->major = ~0;
 		wh->type = DEV_ALL;
 		wh->access = ACC_MASK;
+		dev_cgroup->deny_all = false;
 		list_add(&wh->list, &dev_cgroup->whitelist);
 	} else {
 		parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
 		mutex_lock(&devcgroup_mutex);
 		ret = dev_whitelist_copy(&dev_cgroup->whitelist,
 				&parent_dev_cgroup->whitelist);
+		dev_cgroup->deny_all = parent_dev_cgroup->deny_all;
 		mutex_unlock(&devcgroup_mutex);
 		if (ret) {
 			kfree(dev_cgroup);
  
@@ -409,9 +412,11 @@
 	case DEVCG_ALLOW:
 		if (!parent_has_perm(devcgroup, &wh))
 			return -EPERM;
+		devcgroup->deny_all = false;
 		return dev_whitelist_add(devcgroup, &wh);
 	case DEVCG_DENY:
 		dev_whitelist_rm(devcgroup, &wh);
+		devcgroup->deny_all = true;
 		break;
 	default:
 		return -EINVAL;
...	...	@@ -42,6 +42,7 @@
42	42	struct dev_cgroup {
43	43	struct cgroup_subsys_state css;
44	44	struct list_head whitelist;
	45	+ bool deny_all;
45	46	};
46	47
47	48	static inline struct dev_cgroup css_to_devcgroup(struct cgroup_subsys_state s)
48	49
...	...	@@ -178,12 +179,14 @@
178	179	wh->minor = wh->major = ~0;
179	180	wh->type = DEV_ALL;
180	181	wh->access = ACC_MASK;
	182	+ dev_cgroup->deny_all = false;
181	183	list_add(&wh->list, &dev_cgroup->whitelist);
182	184	} else {
183	185	parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
184	186	mutex_lock(&devcgroup_mutex);
185	187	ret = dev_whitelist_copy(&dev_cgroup->whitelist,
186	188	&parent_dev_cgroup->whitelist);
	189	+ dev_cgroup->deny_all = parent_dev_cgroup->deny_all;
187	190	mutex_unlock(&devcgroup_mutex);
188	191	if (ret) {
189	192	kfree(dev_cgroup);
190	193
...	...	@@ -409,9 +412,11 @@
409	412	case DEVCG_ALLOW:
410	413	if (!parent_has_perm(devcgroup, &wh))
411	414	return -EPERM;
	415	+ devcgroup->deny_all = false;
412	416	return dev_whitelist_add(devcgroup, &wh);
413	417	case DEVCG_DENY:
414	418	dev_whitelist_rm(devcgroup, &wh);
	419	+ devcgroup->deny_all = true;
415	420	break;
416	421	default:
417	422	return -EINVAL;