diff options
| author | Aristeu Rozanski <aris@redhat.com> | 2012-10-25 13:37:45 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-10-25 14:37:52 -0700 |
| commit | 4cef7299b4786879a3e113e84084a72b24590c5b (patch) | |
| tree | 31efb5e00be1c1e5cc266046c783c7569e495ede /security | |
| parent | 26fd8405dd470cb8b54cb96859b7dd437e5e1391 (diff) | |
| download | linux-4cef7299b4786879a3e113e84084a72b24590c5b.tar.gz linux-4cef7299b4786879a3e113e84084a72b24590c5b.tar.bz2 linux-4cef7299b4786879a3e113e84084a72b24590c5b.zip | |
device_cgroup: add proper checking when changing default behavior
Before changing a group's default behavior to ALLOW, we must check if
its parent's behavior is also ALLOW.
Signed-off-by: Aristeu Rozanski <aris@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Li Zefan <lizefan@huawei.com>
Cc: James Morris <jmorris@namei.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/device_cgroup.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 4fbae8d0b36c..842c254396db 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -344,6 +344,17 @@ static int parent_has_perm(struct dev_cgroup *childcg, return may_access(parent, ex); } +/** + * may_allow_all - checks if it's possible to change the behavior to + * allow based on parent's rules. + * @parent: device cgroup's parent + * returns: != 0 in case it's allowed, 0 otherwise + */ +static inline int may_allow_all(struct dev_cgroup *parent) +{ + return parent->behavior == DEVCG_DEFAULT_ALLOW; +} + /* * Modify the exception list using allow/deny rules. * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD @@ -364,6 +375,8 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, char temp[12]; /* 11 + 1 characters needed for a u32 */ int count, rc; struct dev_exception_item ex; + struct cgroup *p = devcgroup->css.cgroup; + struct dev_cgroup *parent = cgroup_to_devcgroup(p->parent); if (!capable(CAP_SYS_ADMIN)) return -EPERM; @@ -375,9 +388,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, case 'a': switch (filetype) { case DEVCG_ALLOW: - if (!parent_has_perm(devcgroup, &ex)) + if (!may_allow_all(parent)) return -EPERM; dev_exception_clean(devcgroup); + rc = dev_exceptions_copy(&devcgroup->exceptions, + &parent->exceptions); + if (rc) + return rc; devcgroup->behavior = DEVCG_DEFAULT_ALLOW; break; case DEVCG_DENY: |