提交 66b8ef67 编写于 作者: A Aristeu Rozanski 提交者: Linus Torvalds

device_cgroup: add "deny_all" in dev_cgroup structure

deny_all will determine if the default policy is to deny all device access
unless for the ones in the exception list.

This variable will be used in the next patches to convert device_cgroup
internally into a default policy + rules.
Signed-off-by: NAristeu Rozanski <aris@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Li Zefan <lizefan@huawei.com>
Cc: James Morris <jmorris@namei.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Acked-by: NSerge E. Hallyn <serge.hallyn@canonical.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 12ae6779
...@@ -42,6 +42,7 @@ struct dev_whitelist_item { ...@@ -42,6 +42,7 @@ struct dev_whitelist_item {
struct dev_cgroup { struct dev_cgroup {
struct cgroup_subsys_state css; struct cgroup_subsys_state css;
struct list_head whitelist; struct list_head whitelist;
bool deny_all;
}; };
static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
...@@ -178,12 +179,14 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup) ...@@ -178,12 +179,14 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup)
wh->minor = wh->major = ~0; wh->minor = wh->major = ~0;
wh->type = DEV_ALL; wh->type = DEV_ALL;
wh->access = ACC_MASK; wh->access = ACC_MASK;
dev_cgroup->deny_all = false;
list_add(&wh->list, &dev_cgroup->whitelist); list_add(&wh->list, &dev_cgroup->whitelist);
} else { } else {
parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
mutex_lock(&devcgroup_mutex); mutex_lock(&devcgroup_mutex);
ret = dev_whitelist_copy(&dev_cgroup->whitelist, ret = dev_whitelist_copy(&dev_cgroup->whitelist,
&parent_dev_cgroup->whitelist); &parent_dev_cgroup->whitelist);
dev_cgroup->deny_all = parent_dev_cgroup->deny_all;
mutex_unlock(&devcgroup_mutex); mutex_unlock(&devcgroup_mutex);
if (ret) { if (ret) {
kfree(dev_cgroup); kfree(dev_cgroup);
...@@ -409,9 +412,11 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, ...@@ -409,9 +412,11 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
case DEVCG_ALLOW: case DEVCG_ALLOW:
if (!parent_has_perm(devcgroup, &wh)) if (!parent_has_perm(devcgroup, &wh))
return -EPERM; return -EPERM;
devcgroup->deny_all = false;
return dev_whitelist_add(devcgroup, &wh); return dev_whitelist_add(devcgroup, &wh);
case DEVCG_DENY: case DEVCG_DENY:
dev_whitelist_rm(devcgroup, &wh); dev_whitelist_rm(devcgroup, &wh);
devcgroup->deny_all = true;
break; break;
default: default:
return -EINVAL; return -EINVAL;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册