summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorAristeu Rozanski <aris@redhat.com>2012-10-05 04:15:13 +0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-10-05 22:05:13 +0400
commit66b8ef67756b3051bf42a077a82c3c5c279caa5b (patch)
tree60527442334744981f0766dae6f46bf7ae9b4d4f /security
parent12ae6779332181432a7feda740735ffa5bb3d32d (diff)
downloadlinux-66b8ef67756b3051bf42a077a82c3c5c279caa5b.tar.xz
device_cgroup: add "deny_all" in dev_cgroup structure
deny_all will determine if the default policy is to deny all device access unless for the ones in the exception list. This variable will be used in the next patches to convert device_cgroup internally into a default policy + rules. Signed-off-by: Aristeu Rozanski <aris@redhat.com> Cc: Tejun Heo <tj@kernel.org> Cc: Li Zefan <lizefan@huawei.com> Cc: James Morris <jmorris@namei.org> Cc: Pavel Emelyanov <xemul@openvz.org> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security')
-rw-r--r--security/device_cgroup.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 4b877a92a7ea..e3ce02a00ffc 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -42,6 +42,7 @@ struct dev_whitelist_item {
struct dev_cgroup {
struct cgroup_subsys_state css;
struct list_head whitelist;
+ bool deny_all;
};
static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
@@ -178,12 +179,14 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup)
wh->minor = wh->major = ~0;
wh->type = DEV_ALL;
wh->access = ACC_MASK;
+ dev_cgroup->deny_all = false;
list_add(&wh->list, &dev_cgroup->whitelist);
} else {
parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
mutex_lock(&devcgroup_mutex);
ret = dev_whitelist_copy(&dev_cgroup->whitelist,
&parent_dev_cgroup->whitelist);
+ dev_cgroup->deny_all = parent_dev_cgroup->deny_all;
mutex_unlock(&devcgroup_mutex);
if (ret) {
kfree(dev_cgroup);
@@ -409,9 +412,11 @@ handle:
case DEVCG_ALLOW:
if (!parent_has_perm(devcgroup, &wh))
return -EPERM;
+ devcgroup->deny_all = false;
return dev_whitelist_add(devcgroup, &wh);
case DEVCG_DENY:
dev_whitelist_rm(devcgroup, &wh);
+ devcgroup->deny_all = true;
break;
default:
return -EINVAL;