projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 12ae677)
device_cgroup: add "deny_all" in dev_cgroup structure
authorAristeu Rozanski <[email protected]>
Fri, 5 Oct 2012 00:15:13 +0000 (17:15 -0700)
committerLinus Torvalds <[email protected]>
Fri, 5 Oct 2012 18:05:13 +0000 (03:05 +0900)
deny_all will determine if the default policy is to deny all device access
unless for the ones in the exception list.

This variable will be used in the next patches to convert device_cgroup
internally into a default policy + rules.

Signed-off-by: Aristeu Rozanski <[email protected]>
Cc: Tejun Heo <[email protected]>
Cc: Li Zefan <[email protected]>
Cc: James Morris <[email protected]>
Cc: Pavel Emelyanov <[email protected]>
Acked-by: Serge E. Hallyn <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
security/device_cgroup.c patch | blob | history

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 4b877a92a7ea3dc3a0307f5c5efb9e78c3289b17..e3ce02a00ffcdadc1ee202bee3bfde6a2c3f5198 100644 (file)
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -42,6 +42,7 @@ struct dev_whitelist_item {
 struct dev_cgroup {
        struct cgroup_subsys_state css;
        struct list_head whitelist;
+       bool deny_all;
 };
 
 static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
@@ -178,12 +179,14 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup)
                wh->minor = wh->major = ~0;
                wh->type = DEV_ALL;
                wh->access = ACC_MASK;
+               dev_cgroup->deny_all = false;
                list_add(&wh->list, &dev_cgroup->whitelist);
        } else {
                parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
                mutex_lock(&devcgroup_mutex);
                ret = dev_whitelist_copy(&dev_cgroup->whitelist,
                                &parent_dev_cgroup->whitelist);
+               dev_cgroup->deny_all = parent_dev_cgroup->deny_all;
                mutex_unlock(&devcgroup_mutex);
                if (ret) {
                        kfree(dev_cgroup);
@@ -409,9 +412,11 @@ handle:
        case DEVCG_ALLOW:
                if (!parent_has_perm(devcgroup, &wh))
                        return -EPERM;
+               devcgroup->deny_all = false;
                return dev_whitelist_add(devcgroup, &wh);
        case DEVCG_DENY:
                dev_whitelist_rm(devcgroup, &wh);
+               devcgroup->deny_all = true;
                break;
        default:
                return -EINVAL;
John Crispins staging tree