Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.132 2023-06-21T13:30:49+00:00 2023-06-21T13:30:49+00:00 Gaosheng Cui cuigaosheng1@huawei.com 2023-06-21T07:44:18+00:00 urn:sha1:4be22f16a4a1a1667e79b52b56cca2c64b3747e2 Fix kernel-doc warnings in device_cgroup: security/device_cgroup.c:835: warning: Excess function parameter 'dev_cgroup' description in 'devcgroup_legacy_check_permission'. Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-05-25T21:52:15+00:00 Paul Moore paul@paul-moore.com 2023-05-25T03:19:53+00:00 urn:sha1:4432b507445acf3f8e09ce253d4ca852c177b625 A random collection of spelling fixes for source files in the LSM layer. Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-03-08T22:06:06+00:00 Kamalesh Babulal kamalesh.babulal@oracle.com 2023-03-04T07:29:23+00:00 urn:sha1:f89f8e1661e6bef87073ad4934e1eede5f69f4b7 Fix the stale cgroup.c path in the devcgroup_css_alloc() description. Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2022-11-16T23:28:55+00:00 Wang Weiyang wangweiyang2@huawei.com 2022-10-25T11:31:01+00:00 urn:sha1:e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's exceptions will be cleaned and A's behavior is changed to DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's whitelist. If copy failure occurs, just return leaving A to grant permissions to all devices. And A may grant more permissions than parent. Backup A's whitelist and recover original exceptions after copy failure. Cc: stable@vger.kernel.org Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com> Reviewed-by: Aristeu Rozanski <aris@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2022-01-19T20:51:30+00:00 YiFei Zhu zhuyifei@google.com 2021-12-16T02:04:25+00:00 urn:sha1:f10d059661968b01ef61a8b516775f95a18ab8ae Right now BPF_PROG_RUN_ARRAY and related macros return 1 or 0 for whether the prog array allows or rejects whatever is being hooked. The caller of these macros then return -EPERM or continue processing based on thw macro's return value. Unforunately this is inflexible, since -EPERM is the only err that can be returned. This patch should be a no-op; it prepares for the next patch. The returning of the -EPERM is moved to inside the macros, so the outer functions are directly returning what the macros returned if they are non-zero. Signed-off-by: YiFei Zhu <zhuyifei@google.com> Reviewed-by: Stanislav Fomichev <sdf@google.com> Link: https://lore.kernel.org/r/788abcdca55886d1f43274c918eaa9f792a9f33b.1639619851.git.zhuyifei@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2021-12-16T22:57:09+00:00 Jakub Kicinski kuba@kernel.org 2021-12-16T02:55:37+00:00 urn:sha1:aef2feda97b840ec38e9fa53d0065188453304e8 We're about to break the cgroup-defs.h -> bpf-cgroup.h dependency, make sure those who actually need more than the definition of struct cgroup_bpf include bpf-cgroup.h explicitly. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Tejun Heo <tj@kernel.org> Link: https://lore.kernel.org/bpf/20211216025538.1649516-3-kuba@kernel.org 2020-08-20T18:25:03+00:00 Amol Grover frextrite@gmail.com 2020-04-06T10:59:50+00:00 urn:sha1:bc62d68e2a0a69fcdcf28aca8edb01abf306b698 exceptions may be traversed using list_for_each_entry_rcu() outside of an RCU read side critical section BUT under the protection of decgroup_mutex. Hence add the corresponding lockdep expression to fix the following false-positive warning: [ 2.304417] ============================= [ 2.304418] WARNING: suspicious RCU usage [ 2.304420] 5.5.4-stable #17 Tainted: G E [ 2.304422] ----------------------------- [ 2.304424] security/device_cgroup.c:355 RCU-list traversed in non-reader section!! Signed-off-by: Amol Grover <frextrite@gmail.com> Signed-off-by: James Morris <jmorris@namei.org> 2020-04-13T18:41:54+00:00 Odin Ugedal odin@ugedal.com 2020-04-03T17:55:28+00:00 urn:sha1:eec8fd0277e37cf447b88c6be181e81df867bcf1 Original cgroup v2 eBPF code for filtering device access made it possible to compile with CONFIG_CGROUP_DEVICE=n and still use the eBPF filtering. Change commit 4b7d4d453fc4 ("device_cgroup: Export devcgroup_check_permission") reverted this, making it required to set it to y. Since the device filtering (and all the docs) for cgroup v2 is no longer a "device controller" like it was in v1, someone might compile their kernel with CONFIG_CGROUP_DEVICE=n. Then (for linux 5.5+) the eBPF filter will not be invoked, and all processes will be allowed access to all devices, no matter what the eBPF filter says. Signed-off-by: Odin Ugedal <odin@ugedal.com> Acked-by: Roman Gushchin <guro@fb.com> Signed-off-by: Tejun Heo <tj@kernel.org> 2019-10-07T20:11:38+00:00 Harish Kasiviswanathan Harish.Kasiviswanathan@amd.com 2019-05-16T15:37:16+00:00 urn:sha1:4b7d4d453fc46769394e31d1cb19088f49897b59 For AMD compute (amdkfd) driver. All AMD compute devices are exported via single device node /dev/kfd. As a result devices cannot be controlled individually using device cgroup. AMD compute devices will rely on its graphics counterpart that exposes /dev/dri/renderN node for each device. For each task (based on its cgroup), KFD driver will check if /dev/dri/renderN node is accessible before exposing it. Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com> Acked-by: Tejun Heo <tj@kernel.org> Acked-by: Felix Kuehling <Felix.Kuehling@amd.com> Reviewed-by: Roman Gushchin <guro@fb.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> 2019-07-15T14:03:02+00:00 Mauro Carvalho Chehab mchehab+samsung@kernel.org 2019-06-27T16:08:35+00:00 urn:sha1:da82c92f1150f66afabf78d2c85ef9ac18dc6d38 Those files belong to the admin guide, so add them. Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>