X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=security%2Fdevice_cgroup.c;h=e3ce02a00ffcdadc1ee202bee3bfde6a2c3f5198;hb=66b8ef67756b3051bf42a077a82c3c5c279caa5b;hp=442204cc22d91772251043f3a051d6cce93bcfc7;hpb=f9ba7179ce91fb77b2adf6eaab3676ab3a1f5a15;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 442204c..e3ce02a 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -42,6 +42,7 @@ struct dev_whitelist_item { struct dev_cgroup { struct cgroup_subsys_state css; struct list_head whitelist; + bool deny_all; }; static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) @@ -178,12 +179,14 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup) wh->minor = wh->major = ~0; wh->type = DEV_ALL; wh->access = ACC_MASK; + dev_cgroup->deny_all = false; list_add(&wh->list, &dev_cgroup->whitelist); } else { parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); mutex_lock(&devcgroup_mutex); ret = dev_whitelist_copy(&dev_cgroup->whitelist, &parent_dev_cgroup->whitelist); + dev_cgroup->deny_all = parent_dev_cgroup->deny_all; mutex_unlock(&devcgroup_mutex); if (ret) { kfree(dev_cgroup); @@ -409,9 +412,11 @@ handle: case DEVCG_ALLOW: if (!parent_has_perm(devcgroup, &wh)) return -EPERM; + devcgroup->deny_all = false; return dev_whitelist_add(devcgroup, &wh); case DEVCG_DENY: dev_whitelist_rm(devcgroup, &wh); + devcgroup->deny_all = true; break; default: return -EINVAL; @@ -457,6 +462,15 @@ struct cgroup_subsys devices_subsys = { .destroy = devcgroup_destroy, .subsys_id = devices_subsys_id, .base_cftypes = dev_cgroup_files, + + /* + * While devices cgroup has the rudimentary hierarchy support which + * checks the parent's restriction, it doesn't properly propagates + * config changes in ancestors to their descendents. A child + * should only be allowed to add more restrictions to the parent's + * configuration. Fix it and remove the following. + */ + .broken_hierarchy = true, }; int __devcgroup_inode_permission(struct inode *inode, int mask)