device_cgroup: add "deny_all" in dev_cgroup structure

deny_all will determine if the default policy is to deny all device access
unless for the ones in the exception list.

This variable will be used in the next patches to convert device_cgroup
internally into a default policy + rules.

Signed-off-by: Aristeu Rozanski <aris@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Li Zefan <lizefan@huawei.com>
Cc: James Morris <jmorris@namei.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 442204cc22d91772251043f3a051d6cce93bcfc7..574acae77a7da3c1308cd6c155c481b3ebcccf8a 100644 (file)
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -42,6 +42,7 @@ struct dev_whitelist_item {
 struct dev_cgroup {
        struct cgroup_subsys_state css;
        struct list_head whitelist;
+       bool deny_all;
 };
 
 static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
@@ -178,12 +179,14 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup)
                wh->minor = wh->major = ~0;
                wh->type = DEV_ALL;
                wh->access = ACC_MASK;
+               dev_cgroup->deny_all = false;
                list_add(&wh->list, &dev_cgroup->whitelist);
        } else {
                parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
                mutex_lock(&devcgroup_mutex);
                ret = dev_whitelist_copy(&dev_cgroup->whitelist,
                                &parent_dev_cgroup->whitelist);
+               dev_cgroup->deny_all = parent_dev_cgroup->deny_all;
                mutex_unlock(&devcgroup_mutex);
                if (ret) {
                        kfree(dev_cgroup);
@@ -409,9 +412,11 @@ handle:
        case DEVCG_ALLOW:
                if (!parent_has_perm(devcgroup, &wh))
                        return -EPERM;
+               devcgroup->deny_all = false;
                return dev_whitelist_add(devcgroup, &wh);
        case DEVCG_DENY:
                dev_whitelist_rm(devcgroup, &wh);
+               devcgroup->deny_all = true;
                break;
        default:
                return -EINVAL;