1 // SPDX-License-Identifier: GPL-2.0 1 // SPDX-License-Identifier: GPL-2.0 2 /* 2 /* 3 * device_cgroup.c - device cgroup subsystem 3 * device_cgroup.c - device cgroup subsystem 4 * 4 * 5 * Copyright 2007 IBM Corp 5 * Copyright 2007 IBM Corp 6 */ 6 */ 7 7 8 #include <linux/bpf-cgroup.h> << 9 #include <linux/device_cgroup.h> 8 #include <linux/device_cgroup.h> 10 #include <linux/cgroup.h> 9 #include <linux/cgroup.h> 11 #include <linux/ctype.h> 10 #include <linux/ctype.h> 12 #include <linux/list.h> 11 #include <linux/list.h> 13 #include <linux/uaccess.h> 12 #include <linux/uaccess.h> 14 #include <linux/seq_file.h> 13 #include <linux/seq_file.h> 15 #include <linux/slab.h> 14 #include <linux/slab.h> 16 #include <linux/rcupdate.h> 15 #include <linux/rcupdate.h> 17 #include <linux/mutex.h> 16 #include <linux/mutex.h> 18 17 19 #ifdef CONFIG_CGROUP_DEVICE << 20 << 21 static DEFINE_MUTEX(devcgroup_mutex); 18 static DEFINE_MUTEX(devcgroup_mutex); 22 19 23 enum devcg_behavior { 20 enum devcg_behavior { 24 DEVCG_DEFAULT_NONE, 21 DEVCG_DEFAULT_NONE, 25 DEVCG_DEFAULT_ALLOW, 22 DEVCG_DEFAULT_ALLOW, 26 DEVCG_DEFAULT_DENY, 23 DEVCG_DEFAULT_DENY, 27 }; 24 }; 28 25 29 /* 26 /* 30 * exception list locking rules: 27 * exception list locking rules: 31 * hold devcgroup_mutex for update/read. 28 * hold devcgroup_mutex for update/read. 32 * hold rcu_read_lock() for read. 29 * hold rcu_read_lock() for read. 33 */ 30 */ 34 31 35 struct dev_exception_item { 32 struct dev_exception_item { 36 u32 major, minor; 33 u32 major, minor; 37 short type; 34 short type; 38 short access; 35 short access; 39 struct list_head list; 36 struct list_head list; 40 struct rcu_head rcu; 37 struct rcu_head rcu; 41 }; 38 }; 42 39 43 struct dev_cgroup { 40 struct dev_cgroup { 44 struct cgroup_subsys_state css; 41 struct cgroup_subsys_state css; 45 struct list_head exceptions; 42 struct list_head exceptions; 46 enum devcg_behavior behavior; 43 enum devcg_behavior behavior; 47 }; 44 }; 48 45 49 static inline struct dev_cgroup *css_to_devcgr 46 static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) 50 { 47 { 51 return s ? container_of(s, struct dev_ 48 return s ? container_of(s, struct dev_cgroup, css) : NULL; 52 } 49 } 53 50 54 static inline struct dev_cgroup *task_devcgrou 51 static inline struct dev_cgroup *task_devcgroup(struct task_struct *task) 55 { 52 { 56 return css_to_devcgroup(task_css(task, 53 return css_to_devcgroup(task_css(task, devices_cgrp_id)); 57 } 54 } 58 55 59 /* 56 /* 60 * called under devcgroup_mutex 57 * called under devcgroup_mutex 61 */ 58 */ 62 static int dev_exceptions_copy(struct list_hea 59 static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig) 63 { 60 { 64 struct dev_exception_item *ex, *tmp, * 61 struct dev_exception_item *ex, *tmp, *new; 65 62 66 lockdep_assert_held(&devcgroup_mutex); 63 lockdep_assert_held(&devcgroup_mutex); 67 64 68 list_for_each_entry(ex, orig, list) { 65 list_for_each_entry(ex, orig, list) { 69 new = kmemdup(ex, sizeof(*ex), 66 new = kmemdup(ex, sizeof(*ex), GFP_KERNEL); 70 if (!new) 67 if (!new) 71 goto free_and_exit; 68 goto free_and_exit; 72 list_add_tail(&new->list, dest 69 list_add_tail(&new->list, dest); 73 } 70 } 74 71 75 return 0; 72 return 0; 76 73 77 free_and_exit: 74 free_and_exit: 78 list_for_each_entry_safe(ex, tmp, dest 75 list_for_each_entry_safe(ex, tmp, dest, list) { 79 list_del(&ex->list); 76 list_del(&ex->list); 80 kfree(ex); 77 kfree(ex); 81 } 78 } 82 return -ENOMEM; 79 return -ENOMEM; 83 } 80 } 84 81 85 static void dev_exceptions_move(struct list_he << 86 { << 87 struct dev_exception_item *ex, *tmp; << 88 << 89 lockdep_assert_held(&devcgroup_mutex); << 90 << 91 list_for_each_entry_safe(ex, tmp, orig << 92 list_move_tail(&ex->list, dest << 93 } << 94 } << 95 << 96 /* 82 /* 97 * called under devcgroup_mutex 83 * called under devcgroup_mutex 98 */ 84 */ 99 static int dev_exception_add(struct dev_cgroup 85 static int dev_exception_add(struct dev_cgroup *dev_cgroup, 100 struct dev_except 86 struct dev_exception_item *ex) 101 { 87 { 102 struct dev_exception_item *excopy, *wa 88 struct dev_exception_item *excopy, *walk; 103 89 104 lockdep_assert_held(&devcgroup_mutex); 90 lockdep_assert_held(&devcgroup_mutex); 105 91 106 excopy = kmemdup(ex, sizeof(*ex), GFP_ 92 excopy = kmemdup(ex, sizeof(*ex), GFP_KERNEL); 107 if (!excopy) 93 if (!excopy) 108 return -ENOMEM; 94 return -ENOMEM; 109 95 110 list_for_each_entry(walk, &dev_cgroup- 96 list_for_each_entry(walk, &dev_cgroup->exceptions, list) { 111 if (walk->type != ex->type) 97 if (walk->type != ex->type) 112 continue; 98 continue; 113 if (walk->major != ex->major) 99 if (walk->major != ex->major) 114 continue; 100 continue; 115 if (walk->minor != ex->minor) 101 if (walk->minor != ex->minor) 116 continue; 102 continue; 117 103 118 walk->access |= ex->access; 104 walk->access |= ex->access; 119 kfree(excopy); 105 kfree(excopy); 120 excopy = NULL; 106 excopy = NULL; 121 } 107 } 122 108 123 if (excopy != NULL) 109 if (excopy != NULL) 124 list_add_tail_rcu(&excopy->lis 110 list_add_tail_rcu(&excopy->list, &dev_cgroup->exceptions); 125 return 0; 111 return 0; 126 } 112 } 127 113 128 /* 114 /* 129 * called under devcgroup_mutex 115 * called under devcgroup_mutex 130 */ 116 */ 131 static void dev_exception_rm(struct dev_cgroup 117 static void dev_exception_rm(struct dev_cgroup *dev_cgroup, 132 struct dev_except 118 struct dev_exception_item *ex) 133 { 119 { 134 struct dev_exception_item *walk, *tmp; 120 struct dev_exception_item *walk, *tmp; 135 121 136 lockdep_assert_held(&devcgroup_mutex); 122 lockdep_assert_held(&devcgroup_mutex); 137 123 138 list_for_each_entry_safe(walk, tmp, &d 124 list_for_each_entry_safe(walk, tmp, &dev_cgroup->exceptions, list) { 139 if (walk->type != ex->type) 125 if (walk->type != ex->type) 140 continue; 126 continue; 141 if (walk->major != ex->major) 127 if (walk->major != ex->major) 142 continue; 128 continue; 143 if (walk->minor != ex->minor) 129 if (walk->minor != ex->minor) 144 continue; 130 continue; 145 131 146 walk->access &= ~ex->access; 132 walk->access &= ~ex->access; 147 if (!walk->access) { 133 if (!walk->access) { 148 list_del_rcu(&walk->li 134 list_del_rcu(&walk->list); 149 kfree_rcu(walk, rcu); 135 kfree_rcu(walk, rcu); 150 } 136 } 151 } 137 } 152 } 138 } 153 139 154 static void __dev_exception_clean(struct dev_c 140 static void __dev_exception_clean(struct dev_cgroup *dev_cgroup) 155 { 141 { 156 struct dev_exception_item *ex, *tmp; 142 struct dev_exception_item *ex, *tmp; 157 143 158 list_for_each_entry_safe(ex, tmp, &dev 144 list_for_each_entry_safe(ex, tmp, &dev_cgroup->exceptions, list) { 159 list_del_rcu(&ex->list); 145 list_del_rcu(&ex->list); 160 kfree_rcu(ex, rcu); 146 kfree_rcu(ex, rcu); 161 } 147 } 162 } 148 } 163 149 164 /** 150 /** 165 * dev_exception_clean - frees all entries of 151 * dev_exception_clean - frees all entries of the exception list 166 * @dev_cgroup: dev_cgroup with the exception 152 * @dev_cgroup: dev_cgroup with the exception list to be cleaned 167 * 153 * 168 * called under devcgroup_mutex 154 * called under devcgroup_mutex 169 */ 155 */ 170 static void dev_exception_clean(struct dev_cgr 156 static void dev_exception_clean(struct dev_cgroup *dev_cgroup) 171 { 157 { 172 lockdep_assert_held(&devcgroup_mutex); 158 lockdep_assert_held(&devcgroup_mutex); 173 159 174 __dev_exception_clean(dev_cgroup); 160 __dev_exception_clean(dev_cgroup); 175 } 161 } 176 162 177 static inline bool is_devcg_online(const struc 163 static inline bool is_devcg_online(const struct dev_cgroup *devcg) 178 { 164 { 179 return (devcg->behavior != DEVCG_DEFAU 165 return (devcg->behavior != DEVCG_DEFAULT_NONE); 180 } 166 } 181 167 182 /** 168 /** 183 * devcgroup_online - initializes devcgroup's 169 * devcgroup_online - initializes devcgroup's behavior and exceptions based on 184 * parent's 170 * parent's 185 * @css: css getting online 171 * @css: css getting online 186 * returns 0 in case of success, error code ot 172 * returns 0 in case of success, error code otherwise 187 */ 173 */ 188 static int devcgroup_online(struct cgroup_subs 174 static int devcgroup_online(struct cgroup_subsys_state *css) 189 { 175 { 190 struct dev_cgroup *dev_cgroup = css_to 176 struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); 191 struct dev_cgroup *parent_dev_cgroup = 177 struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css->parent); 192 int ret = 0; 178 int ret = 0; 193 179 194 mutex_lock(&devcgroup_mutex); 180 mutex_lock(&devcgroup_mutex); 195 181 196 if (parent_dev_cgroup == NULL) 182 if (parent_dev_cgroup == NULL) 197 dev_cgroup->behavior = DEVCG_D 183 dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW; 198 else { 184 else { 199 ret = dev_exceptions_copy(&dev 185 ret = dev_exceptions_copy(&dev_cgroup->exceptions, 200 &par 186 &parent_dev_cgroup->exceptions); 201 if (!ret) 187 if (!ret) 202 dev_cgroup->behavior = 188 dev_cgroup->behavior = parent_dev_cgroup->behavior; 203 } 189 } 204 mutex_unlock(&devcgroup_mutex); 190 mutex_unlock(&devcgroup_mutex); 205 191 206 return ret; 192 return ret; 207 } 193 } 208 194 209 static void devcgroup_offline(struct cgroup_su 195 static void devcgroup_offline(struct cgroup_subsys_state *css) 210 { 196 { 211 struct dev_cgroup *dev_cgroup = css_to 197 struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); 212 198 213 mutex_lock(&devcgroup_mutex); 199 mutex_lock(&devcgroup_mutex); 214 dev_cgroup->behavior = DEVCG_DEFAULT_N 200 dev_cgroup->behavior = DEVCG_DEFAULT_NONE; 215 mutex_unlock(&devcgroup_mutex); 201 mutex_unlock(&devcgroup_mutex); 216 } 202 } 217 203 218 /* 204 /* 219 * called from kernel/cgroup/cgroup.c with cgr !! 205 * called from kernel/cgroup.c with cgroup_lock() held. 220 */ 206 */ 221 static struct cgroup_subsys_state * 207 static struct cgroup_subsys_state * 222 devcgroup_css_alloc(struct cgroup_subsys_state 208 devcgroup_css_alloc(struct cgroup_subsys_state *parent_css) 223 { 209 { 224 struct dev_cgroup *dev_cgroup; 210 struct dev_cgroup *dev_cgroup; 225 211 226 dev_cgroup = kzalloc(sizeof(*dev_cgrou 212 dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL); 227 if (!dev_cgroup) 213 if (!dev_cgroup) 228 return ERR_PTR(-ENOMEM); 214 return ERR_PTR(-ENOMEM); 229 INIT_LIST_HEAD(&dev_cgroup->exceptions 215 INIT_LIST_HEAD(&dev_cgroup->exceptions); 230 dev_cgroup->behavior = DEVCG_DEFAULT_N 216 dev_cgroup->behavior = DEVCG_DEFAULT_NONE; 231 217 232 return &dev_cgroup->css; 218 return &dev_cgroup->css; 233 } 219 } 234 220 235 static void devcgroup_css_free(struct cgroup_s 221 static void devcgroup_css_free(struct cgroup_subsys_state *css) 236 { 222 { 237 struct dev_cgroup *dev_cgroup = css_to 223 struct dev_cgroup *dev_cgroup = css_to_devcgroup(css); 238 224 239 __dev_exception_clean(dev_cgroup); 225 __dev_exception_clean(dev_cgroup); 240 kfree(dev_cgroup); 226 kfree(dev_cgroup); 241 } 227 } 242 228 243 #define DEVCG_ALLOW 1 229 #define DEVCG_ALLOW 1 244 #define DEVCG_DENY 2 230 #define DEVCG_DENY 2 245 #define DEVCG_LIST 3 231 #define DEVCG_LIST 3 246 232 247 #define MAJMINLEN 13 233 #define MAJMINLEN 13 248 #define ACCLEN 4 234 #define ACCLEN 4 249 235 250 static void set_access(char *acc, short access 236 static void set_access(char *acc, short access) 251 { 237 { 252 int idx = 0; 238 int idx = 0; 253 memset(acc, 0, ACCLEN); 239 memset(acc, 0, ACCLEN); 254 if (access & DEVCG_ACC_READ) 240 if (access & DEVCG_ACC_READ) 255 acc[idx++] = 'r'; 241 acc[idx++] = 'r'; 256 if (access & DEVCG_ACC_WRITE) 242 if (access & DEVCG_ACC_WRITE) 257 acc[idx++] = 'w'; 243 acc[idx++] = 'w'; 258 if (access & DEVCG_ACC_MKNOD) 244 if (access & DEVCG_ACC_MKNOD) 259 acc[idx++] = 'm'; 245 acc[idx++] = 'm'; 260 } 246 } 261 247 262 static char type_to_char(short type) 248 static char type_to_char(short type) 263 { 249 { 264 if (type == DEVCG_DEV_ALL) 250 if (type == DEVCG_DEV_ALL) 265 return 'a'; 251 return 'a'; 266 if (type == DEVCG_DEV_CHAR) 252 if (type == DEVCG_DEV_CHAR) 267 return 'c'; 253 return 'c'; 268 if (type == DEVCG_DEV_BLOCK) 254 if (type == DEVCG_DEV_BLOCK) 269 return 'b'; 255 return 'b'; 270 return 'X'; 256 return 'X'; 271 } 257 } 272 258 273 static void set_majmin(char *str, unsigned m) 259 static void set_majmin(char *str, unsigned m) 274 { 260 { 275 if (m == ~0) 261 if (m == ~0) 276 strcpy(str, "*"); 262 strcpy(str, "*"); 277 else 263 else 278 sprintf(str, "%u", m); 264 sprintf(str, "%u", m); 279 } 265 } 280 266 281 static int devcgroup_seq_show(struct seq_file 267 static int devcgroup_seq_show(struct seq_file *m, void *v) 282 { 268 { 283 struct dev_cgroup *devcgroup = css_to_ 269 struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m)); 284 struct dev_exception_item *ex; 270 struct dev_exception_item *ex; 285 char maj[MAJMINLEN], min[MAJMINLEN], a 271 char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN]; 286 272 287 rcu_read_lock(); 273 rcu_read_lock(); 288 /* 274 /* 289 * To preserve the compatibility: 275 * To preserve the compatibility: 290 * - Only show the "all devices" when 276 * - Only show the "all devices" when the default policy is to allow 291 * - List the exceptions in case the d 277 * - List the exceptions in case the default policy is to deny 292 * This way, the file remains as a "wh 278 * This way, the file remains as a "whitelist of devices" 293 */ 279 */ 294 if (devcgroup->behavior == DEVCG_DEFAU 280 if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) { 295 set_access(acc, DEVCG_ACC_MASK 281 set_access(acc, DEVCG_ACC_MASK); 296 set_majmin(maj, ~0); 282 set_majmin(maj, ~0); 297 set_majmin(min, ~0); 283 set_majmin(min, ~0); 298 seq_printf(m, "%c %s:%s %s\n", 284 seq_printf(m, "%c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL), 299 maj, min, acc); 285 maj, min, acc); 300 } else { 286 } else { 301 list_for_each_entry_rcu(ex, &d 287 list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) { 302 set_access(acc, ex->ac 288 set_access(acc, ex->access); 303 set_majmin(maj, ex->ma 289 set_majmin(maj, ex->major); 304 set_majmin(min, ex->mi 290 set_majmin(min, ex->minor); 305 seq_printf(m, "%c %s:% 291 seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type), 306 maj, min, a 292 maj, min, acc); 307 } 293 } 308 } 294 } 309 rcu_read_unlock(); 295 rcu_read_unlock(); 310 296 311 return 0; 297 return 0; 312 } 298 } 313 299 314 /** 300 /** 315 * match_exception - iterates the excepti 301 * match_exception - iterates the exception list trying to find a complete match 316 * @exceptions: list of exceptions 302 * @exceptions: list of exceptions 317 * @type: device type (DEVCG_DEV_BLOCK or DEVC 303 * @type: device type (DEVCG_DEV_BLOCK or DEVCG_DEV_CHAR) 318 * @major: device file major number, ~0 to mat 304 * @major: device file major number, ~0 to match all 319 * @minor: device file minor number, ~0 to mat 305 * @minor: device file minor number, ~0 to match all 320 * @access: permission mask (DEVCG_ACC_READ, D 306 * @access: permission mask (DEVCG_ACC_READ, DEVCG_ACC_WRITE, DEVCG_ACC_MKNOD) 321 * 307 * 322 * It is considered a complete match if an exc 308 * It is considered a complete match if an exception is found that will 323 * contain the entire range of provided parame 309 * contain the entire range of provided parameters. 324 * 310 * 325 * Return: true in case it matches an exceptio 311 * Return: true in case it matches an exception completely 326 */ 312 */ 327 static bool match_exception(struct list_head * 313 static bool match_exception(struct list_head *exceptions, short type, 328 u32 major, u32 min 314 u32 major, u32 minor, short access) 329 { 315 { 330 struct dev_exception_item *ex; 316 struct dev_exception_item *ex; 331 317 332 list_for_each_entry_rcu(ex, exceptions 318 list_for_each_entry_rcu(ex, exceptions, list) { 333 if ((type & DEVCG_DEV_BLOCK) & 319 if ((type & DEVCG_DEV_BLOCK) && !(ex->type & DEVCG_DEV_BLOCK)) 334 continue; 320 continue; 335 if ((type & DEVCG_DEV_CHAR) && 321 if ((type & DEVCG_DEV_CHAR) && !(ex->type & DEVCG_DEV_CHAR)) 336 continue; 322 continue; 337 if (ex->major != ~0 && ex->maj 323 if (ex->major != ~0 && ex->major != major) 338 continue; 324 continue; 339 if (ex->minor != ~0 && ex->min 325 if (ex->minor != ~0 && ex->minor != minor) 340 continue; 326 continue; 341 /* provided access cannot have 327 /* provided access cannot have more than the exception rule */ 342 if (access & (~ex->access)) 328 if (access & (~ex->access)) 343 continue; 329 continue; 344 return true; 330 return true; 345 } 331 } 346 return false; 332 return false; 347 } 333 } 348 334 349 /** 335 /** 350 * match_exception_partial - iterates the exce 336 * match_exception_partial - iterates the exception list trying to find a partial match 351 * @exceptions: list of exceptions 337 * @exceptions: list of exceptions 352 * @type: device type (DEVCG_DEV_BLOCK or DEVC 338 * @type: device type (DEVCG_DEV_BLOCK or DEVCG_DEV_CHAR) 353 * @major: device file major number, ~0 to mat 339 * @major: device file major number, ~0 to match all 354 * @minor: device file minor number, ~0 to mat 340 * @minor: device file minor number, ~0 to match all 355 * @access: permission mask (DEVCG_ACC_READ, D 341 * @access: permission mask (DEVCG_ACC_READ, DEVCG_ACC_WRITE, DEVCG_ACC_MKNOD) 356 * 342 * 357 * It is considered a partial match if an exce 343 * It is considered a partial match if an exception's range is found to 358 * contain *any* of the devices specified by p 344 * contain *any* of the devices specified by provided parameters. This is 359 * used to make sure no extra access is being 345 * used to make sure no extra access is being granted that is forbidden by 360 * any of the exception list. 346 * any of the exception list. 361 * 347 * 362 * Return: true in case the provided range mat 348 * Return: true in case the provided range mat matches an exception completely 363 */ 349 */ 364 static bool match_exception_partial(struct lis 350 static bool match_exception_partial(struct list_head *exceptions, short type, 365 u32 major, 351 u32 major, u32 minor, short access) 366 { 352 { 367 struct dev_exception_item *ex; 353 struct dev_exception_item *ex; 368 354 369 list_for_each_entry_rcu(ex, exceptions !! 355 list_for_each_entry_rcu(ex, exceptions, list) { 370 lockdep_is_hel << 371 if ((type & DEVCG_DEV_BLOCK) & 356 if ((type & DEVCG_DEV_BLOCK) && !(ex->type & DEVCG_DEV_BLOCK)) 372 continue; 357 continue; 373 if ((type & DEVCG_DEV_CHAR) && 358 if ((type & DEVCG_DEV_CHAR) && !(ex->type & DEVCG_DEV_CHAR)) 374 continue; 359 continue; 375 /* 360 /* 376 * We must be sure that both t 361 * We must be sure that both the exception and the provided 377 * range aren't masking all de 362 * range aren't masking all devices 378 */ 363 */ 379 if (ex->major != ~0 && major ! 364 if (ex->major != ~0 && major != ~0 && ex->major != major) 380 continue; 365 continue; 381 if (ex->minor != ~0 && minor ! 366 if (ex->minor != ~0 && minor != ~0 && ex->minor != minor) 382 continue; 367 continue; 383 /* 368 /* 384 * In order to make sure the p 369 * In order to make sure the provided range isn't matching 385 * an exception, all its acces 370 * an exception, all its access bits shouldn't match the 386 * exception's access bits 371 * exception's access bits 387 */ 372 */ 388 if (!(access & ex->access)) 373 if (!(access & ex->access)) 389 continue; 374 continue; 390 return true; 375 return true; 391 } 376 } 392 return false; 377 return false; 393 } 378 } 394 379 395 /** 380 /** 396 * verify_new_ex - verifies if a new exception 381 * verify_new_ex - verifies if a new exception is allowed by parent cgroup's permissions 397 * @dev_cgroup: dev cgroup to be tested agains 382 * @dev_cgroup: dev cgroup to be tested against 398 * @refex: new exception 383 * @refex: new exception 399 * @behavior: behavior of the exception's dev_ 384 * @behavior: behavior of the exception's dev_cgroup 400 * 385 * 401 * This is used to make sure a child cgroup wo 386 * This is used to make sure a child cgroup won't have more privileges 402 * than its parent 387 * than its parent 403 */ 388 */ 404 static bool verify_new_ex(struct dev_cgroup *d 389 static bool verify_new_ex(struct dev_cgroup *dev_cgroup, 405 struct dev_exception 390 struct dev_exception_item *refex, 406 enum devcg_behavior 391 enum devcg_behavior behavior) 407 { 392 { 408 bool match = false; 393 bool match = false; 409 394 410 RCU_LOCKDEP_WARN(!rcu_read_lock_held() 395 RCU_LOCKDEP_WARN(!rcu_read_lock_held() && 411 !lockdep_is_held(&dev 396 !lockdep_is_held(&devcgroup_mutex), 412 "device_cgroup:verify 397 "device_cgroup:verify_new_ex called without proper synchronization"); 413 398 414 if (dev_cgroup->behavior == DEVCG_DEFA 399 if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW) { 415 if (behavior == DEVCG_DEFAULT_ 400 if (behavior == DEVCG_DEFAULT_ALLOW) { 416 /* 401 /* 417 * new exception in th 402 * new exception in the child doesn't matter, only 418 * adding extra restri 403 * adding extra restrictions 419 */ 404 */ 420 return true; 405 return true; 421 } else { 406 } else { 422 /* 407 /* 423 * new exception in th 408 * new exception in the child will add more devices 424 * that can be accesse !! 409 * that can be acessed, so it can't match any of 425 * parent's exceptions 410 * parent's exceptions, even slightly 426 */ 411 */ 427 match = match_exceptio 412 match = match_exception_partial(&dev_cgroup->exceptions, 428 413 refex->type, 429 414 refex->major, 430 415 refex->minor, 431 416 refex->access); 432 417 433 if (match) 418 if (match) 434 return false; 419 return false; 435 return true; 420 return true; 436 } 421 } 437 } else { 422 } else { 438 /* 423 /* 439 * Only behavior == DEVCG_DEFA 424 * Only behavior == DEVCG_DEFAULT_DENY allowed here, therefore 440 * the new exception will add 425 * the new exception will add access to more devices and must 441 * be contained completely in 426 * be contained completely in an parent's exception to be 442 * allowed 427 * allowed 443 */ 428 */ 444 match = match_exception(&dev_c 429 match = match_exception(&dev_cgroup->exceptions, refex->type, 445 refex- 430 refex->major, refex->minor, 446 refex- 431 refex->access); 447 432 448 if (match) 433 if (match) 449 /* parent has an excep 434 /* parent has an exception that matches the proposed */ 450 return true; 435 return true; 451 else 436 else 452 return false; 437 return false; 453 } 438 } 454 return false; 439 return false; 455 } 440 } 456 441 457 /* 442 /* 458 * parent_has_perm: 443 * parent_has_perm: 459 * when adding a new allow rule to a device ex 444 * when adding a new allow rule to a device exception list, the rule 460 * must be allowed in the parent device 445 * must be allowed in the parent device 461 */ 446 */ 462 static int parent_has_perm(struct dev_cgroup * 447 static int parent_has_perm(struct dev_cgroup *childcg, 463 struct dev_e 448 struct dev_exception_item *ex) 464 { 449 { 465 struct dev_cgroup *parent = css_to_dev 450 struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent); 466 451 467 if (!parent) 452 if (!parent) 468 return 1; 453 return 1; 469 return verify_new_ex(parent, ex, child 454 return verify_new_ex(parent, ex, childcg->behavior); 470 } 455 } 471 456 472 /** 457 /** 473 * parent_allows_removal - verify if it's ok t 458 * parent_allows_removal - verify if it's ok to remove an exception 474 * @childcg: child cgroup from where the excep 459 * @childcg: child cgroup from where the exception will be removed 475 * @ex: exception being removed 460 * @ex: exception being removed 476 * 461 * 477 * When removing an exception in cgroups with 462 * When removing an exception in cgroups with default ALLOW policy, it must 478 * be checked if removing it will give the chi 463 * be checked if removing it will give the child cgroup more access than the 479 * parent. 464 * parent. 480 * 465 * 481 * Return: true if it's ok to remove exception 466 * Return: true if it's ok to remove exception, false otherwise 482 */ 467 */ 483 static bool parent_allows_removal(struct dev_c 468 static bool parent_allows_removal(struct dev_cgroup *childcg, 484 struct dev_e 469 struct dev_exception_item *ex) 485 { 470 { 486 struct dev_cgroup *parent = css_to_dev 471 struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent); 487 472 488 if (!parent) 473 if (!parent) 489 return true; 474 return true; 490 475 491 /* It's always allowed to remove acces 476 /* It's always allowed to remove access to devices */ 492 if (childcg->behavior == DEVCG_DEFAULT 477 if (childcg->behavior == DEVCG_DEFAULT_DENY) 493 return true; 478 return true; 494 479 495 /* 480 /* 496 * Make sure you're not removing part 481 * Make sure you're not removing part or a whole exception existing in 497 * the parent cgroup 482 * the parent cgroup 498 */ 483 */ 499 return !match_exception_partial(&paren 484 return !match_exception_partial(&parent->exceptions, ex->type, 500 ex->ma 485 ex->major, ex->minor, ex->access); 501 } 486 } 502 487 503 /** 488 /** 504 * may_allow_all - checks if it's possible to 489 * may_allow_all - checks if it's possible to change the behavior to 505 * allow based on parent's rul 490 * allow based on parent's rules. 506 * @parent: device cgroup's parent 491 * @parent: device cgroup's parent 507 * returns: != 0 in case it's allowed, 0 other 492 * returns: != 0 in case it's allowed, 0 otherwise 508 */ 493 */ 509 static inline int may_allow_all(struct dev_cgr 494 static inline int may_allow_all(struct dev_cgroup *parent) 510 { 495 { 511 if (!parent) 496 if (!parent) 512 return 1; 497 return 1; 513 return parent->behavior == DEVCG_DEFAU 498 return parent->behavior == DEVCG_DEFAULT_ALLOW; 514 } 499 } 515 500 516 /** 501 /** 517 * revalidate_active_exceptions - walks throug 502 * revalidate_active_exceptions - walks through the active exception list and 518 * revalidates 503 * revalidates the exceptions based on parent's 519 * behavior and 504 * behavior and exceptions. The exceptions that 520 * are no longe 505 * are no longer valid will be removed. 521 * Called with 506 * Called with devcgroup_mutex held. 522 * @devcg: cgroup which exceptions will be che 507 * @devcg: cgroup which exceptions will be checked 523 * 508 * 524 * This is one of the three key functions for 509 * This is one of the three key functions for hierarchy implementation. 525 * This function is responsible for re-evaluat 510 * This function is responsible for re-evaluating all the cgroup's active 526 * exceptions due to a parent's exception chan 511 * exceptions due to a parent's exception change. 527 * Refer to Documentation/admin-guide/cgroup-v 512 * Refer to Documentation/admin-guide/cgroup-v1/devices.rst for more details. 528 */ 513 */ 529 static void revalidate_active_exceptions(struc 514 static void revalidate_active_exceptions(struct dev_cgroup *devcg) 530 { 515 { 531 struct dev_exception_item *ex; 516 struct dev_exception_item *ex; 532 struct list_head *this, *tmp; 517 struct list_head *this, *tmp; 533 518 534 list_for_each_safe(this, tmp, &devcg-> 519 list_for_each_safe(this, tmp, &devcg->exceptions) { 535 ex = container_of(this, struct 520 ex = container_of(this, struct dev_exception_item, list); 536 if (!parent_has_perm(devcg, ex 521 if (!parent_has_perm(devcg, ex)) 537 dev_exception_rm(devcg 522 dev_exception_rm(devcg, ex); 538 } 523 } 539 } 524 } 540 525 541 /** 526 /** 542 * propagate_exception - propagates a new exce 527 * propagate_exception - propagates a new exception to the children 543 * @devcg_root: device cgroup that added a new 528 * @devcg_root: device cgroup that added a new exception 544 * @ex: new exception to be propagated 529 * @ex: new exception to be propagated 545 * 530 * 546 * returns: 0 in case of success, != 0 in case 531 * returns: 0 in case of success, != 0 in case of error 547 */ 532 */ 548 static int propagate_exception(struct dev_cgro 533 static int propagate_exception(struct dev_cgroup *devcg_root, 549 struct dev_exce 534 struct dev_exception_item *ex) 550 { 535 { 551 struct cgroup_subsys_state *pos; 536 struct cgroup_subsys_state *pos; 552 int rc = 0; 537 int rc = 0; 553 538 554 rcu_read_lock(); 539 rcu_read_lock(); 555 540 556 css_for_each_descendant_pre(pos, &devc 541 css_for_each_descendant_pre(pos, &devcg_root->css) { 557 struct dev_cgroup *devcg = css 542 struct dev_cgroup *devcg = css_to_devcgroup(pos); 558 543 559 /* 544 /* 560 * Because devcgroup_mutex is 545 * Because devcgroup_mutex is held, no devcg will become 561 * online or offline during th 546 * online or offline during the tree walk (see on/offline 562 * methods), and online ones a 547 * methods), and online ones are safe to access outside RCU 563 * read lock without bumping r 548 * read lock without bumping refcnt. 564 */ 549 */ 565 if (pos == &devcg_root->css || 550 if (pos == &devcg_root->css || !is_devcg_online(devcg)) 566 continue; 551 continue; 567 552 568 rcu_read_unlock(); 553 rcu_read_unlock(); 569 554 570 /* 555 /* 571 * in case both root's behavio 556 * in case both root's behavior and devcg is allow, a new 572 * restriction means adding to 557 * restriction means adding to the exception list 573 */ 558 */ 574 if (devcg_root->behavior == DE 559 if (devcg_root->behavior == DEVCG_DEFAULT_ALLOW && 575 devcg->behavior == DEVCG_D 560 devcg->behavior == DEVCG_DEFAULT_ALLOW) { 576 rc = dev_exception_add 561 rc = dev_exception_add(devcg, ex); 577 if (rc) 562 if (rc) 578 return rc; 563 return rc; 579 } else { 564 } else { 580 /* 565 /* 581 * in the other possib 566 * in the other possible cases: 582 * root's behavior: al 567 * root's behavior: allow, devcg's: deny 583 * root's behavior: de 568 * root's behavior: deny, devcg's: deny 584 * the exception will 569 * the exception will be removed 585 */ 570 */ 586 dev_exception_rm(devcg 571 dev_exception_rm(devcg, ex); 587 } 572 } 588 revalidate_active_exceptions(d 573 revalidate_active_exceptions(devcg); 589 574 590 rcu_read_lock(); 575 rcu_read_lock(); 591 } 576 } 592 577 593 rcu_read_unlock(); 578 rcu_read_unlock(); 594 return rc; 579 return rc; 595 } 580 } 596 581 597 /* 582 /* 598 * Modify the exception list using allow/deny 583 * Modify the exception list using allow/deny rules. 599 * CAP_SYS_ADMIN is needed for this. It's at 584 * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD 600 * so we can give a container CAP_MKNOD to let 585 * so we can give a container CAP_MKNOD to let it create devices but not 601 * modify the exception list. 586 * modify the exception list. 602 * It seems likely we'll want to add a CAP_CON 587 * It seems likely we'll want to add a CAP_CONTAINER capability to allow 603 * us to also grant CAP_SYS_ADMIN to container 588 * us to also grant CAP_SYS_ADMIN to containers without giving away the 604 * device exception list controls, but for now 589 * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN 605 * 590 * 606 * Taking rules away is always allowed (given 591 * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting 607 * new access is only allowed if you're in the 592 * new access is only allowed if you're in the top-level cgroup, or your 608 * parent cgroup has the access you're asking 593 * parent cgroup has the access you're asking for. 609 */ 594 */ 610 static int devcgroup_update_access(struct dev_ 595 static int devcgroup_update_access(struct dev_cgroup *devcgroup, 611 int filetyp 596 int filetype, char *buffer) 612 { 597 { 613 const char *b; 598 const char *b; 614 char temp[12]; /* 11 + 1 char 599 char temp[12]; /* 11 + 1 characters needed for a u32 */ 615 int count, rc = 0; 600 int count, rc = 0; 616 struct dev_exception_item ex; 601 struct dev_exception_item ex; 617 struct dev_cgroup *parent = css_to_dev 602 struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); 618 struct dev_cgroup tmp_devcgrp; << 619 603 620 if (!capable(CAP_SYS_ADMIN)) 604 if (!capable(CAP_SYS_ADMIN)) 621 return -EPERM; 605 return -EPERM; 622 606 623 memset(&ex, 0, sizeof(ex)); 607 memset(&ex, 0, sizeof(ex)); 624 memset(&tmp_devcgrp, 0, sizeof(tmp_dev << 625 b = buffer; 608 b = buffer; 626 609 627 switch (*b) { 610 switch (*b) { 628 case 'a': 611 case 'a': 629 switch (filetype) { 612 switch (filetype) { 630 case DEVCG_ALLOW: 613 case DEVCG_ALLOW: 631 if (css_has_online_chi 614 if (css_has_online_children(&devcgroup->css)) 632 return -EINVAL 615 return -EINVAL; 633 616 634 if (!may_allow_all(par 617 if (!may_allow_all(parent)) 635 return -EPERM; 618 return -EPERM; 636 if (!parent) { !! 619 dev_exception_clean(devcgroup); 637 devcgroup->beh !! 620 devcgroup->behavior = DEVCG_DEFAULT_ALLOW; 638 dev_exception_ !! 621 if (!parent) 639 break; 622 break; 640 } << 641 623 642 INIT_LIST_HEAD(&tmp_de << 643 rc = dev_exceptions_co << 644 << 645 if (rc) << 646 return rc; << 647 dev_exception_clean(de << 648 rc = dev_exceptions_co 624 rc = dev_exceptions_copy(&devcgroup->exceptions, 649 625 &parent->exceptions); 650 if (rc) { !! 626 if (rc) 651 dev_exceptions << 652 << 653 return rc; 627 return rc; 654 } << 655 devcgroup->behavior = << 656 dev_exception_clean(&t << 657 break; 628 break; 658 case DEVCG_DENY: 629 case DEVCG_DENY: 659 if (css_has_online_chi 630 if (css_has_online_children(&devcgroup->css)) 660 return -EINVAL 631 return -EINVAL; 661 632 662 dev_exception_clean(de 633 dev_exception_clean(devcgroup); 663 devcgroup->behavior = 634 devcgroup->behavior = DEVCG_DEFAULT_DENY; 664 break; 635 break; 665 default: 636 default: 666 return -EINVAL; 637 return -EINVAL; 667 } 638 } 668 return 0; 639 return 0; 669 case 'b': 640 case 'b': 670 ex.type = DEVCG_DEV_BLOCK; 641 ex.type = DEVCG_DEV_BLOCK; 671 break; 642 break; 672 case 'c': 643 case 'c': 673 ex.type = DEVCG_DEV_CHAR; 644 ex.type = DEVCG_DEV_CHAR; 674 break; 645 break; 675 default: 646 default: 676 return -EINVAL; 647 return -EINVAL; 677 } 648 } 678 b++; 649 b++; 679 if (!isspace(*b)) 650 if (!isspace(*b)) 680 return -EINVAL; 651 return -EINVAL; 681 b++; 652 b++; 682 if (*b == '*') { 653 if (*b == '*') { 683 ex.major = ~0; 654 ex.major = ~0; 684 b++; 655 b++; 685 } else if (isdigit(*b)) { 656 } else if (isdigit(*b)) { 686 memset(temp, 0, sizeof(temp)); 657 memset(temp, 0, sizeof(temp)); 687 for (count = 0; count < sizeof 658 for (count = 0; count < sizeof(temp) - 1; count++) { 688 temp[count] = *b; 659 temp[count] = *b; 689 b++; 660 b++; 690 if (!isdigit(*b)) 661 if (!isdigit(*b)) 691 break; 662 break; 692 } 663 } 693 rc = kstrtou32(temp, 10, &ex.m 664 rc = kstrtou32(temp, 10, &ex.major); 694 if (rc) 665 if (rc) 695 return -EINVAL; 666 return -EINVAL; 696 } else { 667 } else { 697 return -EINVAL; 668 return -EINVAL; 698 } 669 } 699 if (*b != ':') 670 if (*b != ':') 700 return -EINVAL; 671 return -EINVAL; 701 b++; 672 b++; 702 673 703 /* read minor */ 674 /* read minor */ 704 if (*b == '*') { 675 if (*b == '*') { 705 ex.minor = ~0; 676 ex.minor = ~0; 706 b++; 677 b++; 707 } else if (isdigit(*b)) { 678 } else if (isdigit(*b)) { 708 memset(temp, 0, sizeof(temp)); 679 memset(temp, 0, sizeof(temp)); 709 for (count = 0; count < sizeof 680 for (count = 0; count < sizeof(temp) - 1; count++) { 710 temp[count] = *b; 681 temp[count] = *b; 711 b++; 682 b++; 712 if (!isdigit(*b)) 683 if (!isdigit(*b)) 713 break; 684 break; 714 } 685 } 715 rc = kstrtou32(temp, 10, &ex.m 686 rc = kstrtou32(temp, 10, &ex.minor); 716 if (rc) 687 if (rc) 717 return -EINVAL; 688 return -EINVAL; 718 } else { 689 } else { 719 return -EINVAL; 690 return -EINVAL; 720 } 691 } 721 if (!isspace(*b)) 692 if (!isspace(*b)) 722 return -EINVAL; 693 return -EINVAL; 723 for (b++, count = 0; count < 3; count+ 694 for (b++, count = 0; count < 3; count++, b++) { 724 switch (*b) { 695 switch (*b) { 725 case 'r': 696 case 'r': 726 ex.access |= DEVCG_ACC 697 ex.access |= DEVCG_ACC_READ; 727 break; 698 break; 728 case 'w': 699 case 'w': 729 ex.access |= DEVCG_ACC 700 ex.access |= DEVCG_ACC_WRITE; 730 break; 701 break; 731 case 'm': 702 case 'm': 732 ex.access |= DEVCG_ACC 703 ex.access |= DEVCG_ACC_MKNOD; 733 break; 704 break; 734 case '\n': 705 case '\n': 735 case '\0': 706 case '\0': 736 count = 3; 707 count = 3; 737 break; 708 break; 738 default: 709 default: 739 return -EINVAL; 710 return -EINVAL; 740 } 711 } 741 } 712 } 742 713 743 switch (filetype) { 714 switch (filetype) { 744 case DEVCG_ALLOW: 715 case DEVCG_ALLOW: 745 /* 716 /* 746 * If the default policy is to 717 * If the default policy is to allow by default, try to remove 747 * an matching exception inste 718 * an matching exception instead. And be silent about it: we 748 * don't want to break compati 719 * don't want to break compatibility 749 */ 720 */ 750 if (devcgroup->behavior == DEV 721 if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) { 751 /* Check if the parent 722 /* Check if the parent allows removing it first */ 752 if (!parent_allows_rem 723 if (!parent_allows_removal(devcgroup, &ex)) 753 return -EPERM; 724 return -EPERM; 754 dev_exception_rm(devcg 725 dev_exception_rm(devcgroup, &ex); 755 break; 726 break; 756 } 727 } 757 728 758 if (!parent_has_perm(devcgroup 729 if (!parent_has_perm(devcgroup, &ex)) 759 return -EPERM; 730 return -EPERM; 760 rc = dev_exception_add(devcgro 731 rc = dev_exception_add(devcgroup, &ex); 761 break; 732 break; 762 case DEVCG_DENY: 733 case DEVCG_DENY: 763 /* 734 /* 764 * If the default policy is to 735 * If the default policy is to deny by default, try to remove 765 * an matching exception inste 736 * an matching exception instead. And be silent about it: we 766 * don't want to break compati 737 * don't want to break compatibility 767 */ 738 */ 768 if (devcgroup->behavior == DEV 739 if (devcgroup->behavior == DEVCG_DEFAULT_DENY) 769 dev_exception_rm(devcg 740 dev_exception_rm(devcgroup, &ex); 770 else 741 else 771 rc = dev_exception_add 742 rc = dev_exception_add(devcgroup, &ex); 772 743 773 if (rc) 744 if (rc) 774 break; 745 break; 775 /* we only propagate new restr 746 /* we only propagate new restrictions */ 776 rc = propagate_exception(devcg 747 rc = propagate_exception(devcgroup, &ex); 777 break; 748 break; 778 default: 749 default: 779 rc = -EINVAL; 750 rc = -EINVAL; 780 } 751 } 781 return rc; 752 return rc; 782 } 753 } 783 754 784 static ssize_t devcgroup_access_write(struct k 755 static ssize_t devcgroup_access_write(struct kernfs_open_file *of, 785 char *bu 756 char *buf, size_t nbytes, loff_t off) 786 { 757 { 787 int retval; 758 int retval; 788 759 789 mutex_lock(&devcgroup_mutex); 760 mutex_lock(&devcgroup_mutex); 790 retval = devcgroup_update_access(css_t 761 retval = devcgroup_update_access(css_to_devcgroup(of_css(of)), 791 of_cf 762 of_cft(of)->private, strstrip(buf)); 792 mutex_unlock(&devcgroup_mutex); 763 mutex_unlock(&devcgroup_mutex); 793 return retval ?: nbytes; 764 return retval ?: nbytes; 794 } 765 } 795 766 796 static struct cftype dev_cgroup_files[] = { 767 static struct cftype dev_cgroup_files[] = { 797 { 768 { 798 .name = "allow", 769 .name = "allow", 799 .write = devcgroup_access_writ 770 .write = devcgroup_access_write, 800 .private = DEVCG_ALLOW, 771 .private = DEVCG_ALLOW, 801 }, 772 }, 802 { 773 { 803 .name = "deny", 774 .name = "deny", 804 .write = devcgroup_access_writ 775 .write = devcgroup_access_write, 805 .private = DEVCG_DENY, 776 .private = DEVCG_DENY, 806 }, 777 }, 807 { 778 { 808 .name = "list", 779 .name = "list", 809 .seq_show = devcgroup_seq_show 780 .seq_show = devcgroup_seq_show, 810 .private = DEVCG_LIST, 781 .private = DEVCG_LIST, 811 }, 782 }, 812 { } /* terminate */ 783 { } /* terminate */ 813 }; 784 }; 814 785 815 struct cgroup_subsys devices_cgrp_subsys = { 786 struct cgroup_subsys devices_cgrp_subsys = { 816 .css_alloc = devcgroup_css_alloc, 787 .css_alloc = devcgroup_css_alloc, 817 .css_free = devcgroup_css_free, 788 .css_free = devcgroup_css_free, 818 .css_online = devcgroup_online, 789 .css_online = devcgroup_online, 819 .css_offline = devcgroup_offline, 790 .css_offline = devcgroup_offline, 820 .legacy_cftypes = dev_cgroup_files, 791 .legacy_cftypes = dev_cgroup_files, 821 }; 792 }; 822 793 823 /** 794 /** 824 * devcgroup_legacy_check_permission - checks !! 795 * __devcgroup_check_permission - checks if an inode operation is permitted >> 796 * @dev_cgroup: the dev cgroup to be tested against 825 * @type: device type 797 * @type: device type 826 * @major: device major number 798 * @major: device major number 827 * @minor: device minor number 799 * @minor: device minor number 828 * @access: combination of DEVCG_ACC_WRITE, DE 800 * @access: combination of DEVCG_ACC_WRITE, DEVCG_ACC_READ and DEVCG_ACC_MKNOD 829 * 801 * 830 * returns 0 on success, -EPERM case the opera 802 * returns 0 on success, -EPERM case the operation is not permitted 831 */ 803 */ 832 static int devcgroup_legacy_check_permission(s !! 804 int __devcgroup_check_permission(short type, u32 major, u32 minor, 833 short !! 805 short access) 834 { 806 { 835 struct dev_cgroup *dev_cgroup; 807 struct dev_cgroup *dev_cgroup; 836 bool rc; 808 bool rc; 837 809 838 rcu_read_lock(); 810 rcu_read_lock(); 839 dev_cgroup = task_devcgroup(current); 811 dev_cgroup = task_devcgroup(current); 840 if (dev_cgroup->behavior == DEVCG_DEFA 812 if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW) 841 /* Can't match any of the exce 813 /* Can't match any of the exceptions, even partially */ 842 rc = !match_exception_partial( 814 rc = !match_exception_partial(&dev_cgroup->exceptions, 843 815 type, major, minor, access); 844 else 816 else 845 /* Need to match completely on 817 /* Need to match completely one exception to be allowed */ 846 rc = match_exception(&dev_cgro 818 rc = match_exception(&dev_cgroup->exceptions, type, major, 847 minor, ac 819 minor, access); 848 rcu_read_unlock(); 820 rcu_read_unlock(); 849 821 850 if (!rc) 822 if (!rc) 851 return -EPERM; 823 return -EPERM; 852 824 853 return 0; 825 return 0; 854 } 826 } 855 << 856 #endif /* CONFIG_CGROUP_DEVICE */ << 857 << 858 #if defined(CONFIG_CGROUP_DEVICE) || defined(C << 859 << 860 int devcgroup_check_permission(short type, u32 << 861 { << 862 int rc = BPF_CGROUP_RUN_PROG_DEVICE_CG << 863 << 864 if (rc) << 865 return rc; << 866 << 867 #ifdef CONFIG_CGROUP_DEVICE << 868 return devcgroup_legacy_check_permissi << 869 << 870 #else /* CONFIG_CGROUP_DEVICE */ << 871 return 0; << 872 << 873 #endif /* CONFIG_CGROUP_DEVICE */ << 874 } << 875 EXPORT_SYMBOL(devcgroup_check_permission); << 876 #endif /* defined(CONFIG_CGROUP_DEVICE) || def << 877 827
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.