summaryrefslogtreecommitdiffstats
path: root/security/device_cgroup.c
diff options
context:
space:
mode:
authorRoman Gushchin <guro@fb.com>2017-11-05 08:15:31 -0500
committerDavid S. Miller <davem@davemloft.net>2017-11-05 23:26:51 +0900
commitecf8fecb7828648cba0e42de7464a7e600c93459 (patch)
treef807782b4060641e926e7d600369d7dd0f058e2a /security/device_cgroup.c
parent67e306fdbed71ab0a6e0d5985e088a49061c523f (diff)
downloadlinux-stable-ecf8fecb7828648cba0e42de7464a7e600c93459.tar.gz
linux-stable-ecf8fecb7828648cba0e42de7464a7e600c93459.tar.bz2
linux-stable-ecf8fecb7828648cba0e42de7464a7e600c93459.zip
device_cgroup: prepare code for bpf-based device controller
This is non-functional change to prepare the device cgroup code for adding eBPF-based controller for cgroups v2. The patch performs the following changes: 1) __devcgroup_inode_permission() and devcgroup_inode_mknod() are moving to the device-cgroup.h and converting into static inline. 2) __devcgroup_check_permission() is exported. 3) devcgroup_check_permission() wrapper is introduced to be used by both existing and new bpf-based implementations. Signed-off-by: Roman Gushchin <guro@fb.com> Acked-by: Tejun Heo <tj@kernel.org> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/device_cgroup.c')
-rw-r--r--security/device_cgroup.c47
1 files changed, 2 insertions, 45 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 968c21557ba7..c65b39bafdfe 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -15,15 +15,6 @@
#include <linux/rcupdate.h>
#include <linux/mutex.h>
-#define DEVCG_ACC_MKNOD 1
-#define DEVCG_ACC_READ 2
-#define DEVCG_ACC_WRITE 4
-#define DEVCG_ACC_MASK (DEVCG_ACC_MKNOD | DEVCG_ACC_READ | DEVCG_ACC_WRITE)
-
-#define DEVCG_DEV_BLOCK 1
-#define DEVCG_DEV_CHAR 2
-#define DEVCG_DEV_ALL 4 /* this represents all devices */
-
static DEFINE_MUTEX(devcgroup_mutex);
enum devcg_behavior {
@@ -810,8 +801,8 @@ struct cgroup_subsys devices_cgrp_subsys = {
*
* returns 0 on success, -EPERM case the operation is not permitted
*/
-static int __devcgroup_check_permission(short type, u32 major, u32 minor,
- short access)
+int __devcgroup_check_permission(short type, u32 major, u32 minor,
+ short access)
{
struct dev_cgroup *dev_cgroup;
bool rc;
@@ -833,37 +824,3 @@ static int __devcgroup_check_permission(short type, u32 major, u32 minor,
return 0;
}
-
-int __devcgroup_inode_permission(struct inode *inode, int mask)
-{
- short type, access = 0;
-
- if (S_ISBLK(inode->i_mode))
- type = DEVCG_DEV_BLOCK;
- if (S_ISCHR(inode->i_mode))
- type = DEVCG_DEV_CHAR;
- if (mask & MAY_WRITE)
- access |= DEVCG_ACC_WRITE;
- if (mask & MAY_READ)
- access |= DEVCG_ACC_READ;
-
- return __devcgroup_check_permission(type, imajor(inode), iminor(inode),
- access);
-}
-
-int devcgroup_inode_mknod(int mode, dev_t dev)
-{
- short type;
-
- if (!S_ISBLK(mode) && !S_ISCHR(mode))
- return 0;
-
- if (S_ISBLK(mode))
- type = DEVCG_DEV_BLOCK;
- else
- type = DEVCG_DEV_CHAR;
-
- return __devcgroup_check_permission(type, MAJOR(dev), MINOR(dev),
- DEVCG_ACC_MKNOD);
-
-}