From: Aristeu Rozanski Date: Thu, 25 Oct 2012 01:13:53 +0000 (+1100) Subject: device_cgroup: add proper checking when changing default behavior X-Git-Tag: next-20121025~2^2~16 X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=bca37d10f087b552cfbfcb0a055c214967105f19;p=karo-tx-linux.git device_cgroup: add proper checking when changing default behavior Before changing a group's default behavior to ALLOW, we must check if its parent's behavior is also ALLOW. Signed-off-by: Aristeu Rozanski Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Acked-by: Serge Hallyn Cc: Jiri Slaby Signed-off-by: Andrew Morton --- diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 4fbae8d0b36c..842c254396db 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -344,6 +344,17 @@ static int parent_has_perm(struct dev_cgroup *childcg, return may_access(parent, ex); } +/** + * may_allow_all - checks if it's possible to change the behavior to + * allow based on parent's rules. + * @parent: device cgroup's parent + * returns: != 0 in case it's allowed, 0 otherwise + */ +static inline int may_allow_all(struct dev_cgroup *parent) +{ + return parent->behavior == DEVCG_DEFAULT_ALLOW; +} + /* * Modify the exception list using allow/deny rules. * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD @@ -364,6 +375,8 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, char temp[12]; /* 11 + 1 characters needed for a u32 */ int count, rc; struct dev_exception_item ex; + struct cgroup *p = devcgroup->css.cgroup; + struct dev_cgroup *parent = cgroup_to_devcgroup(p->parent); if (!capable(CAP_SYS_ADMIN)) return -EPERM; @@ -375,9 +388,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, case 'a': switch (filetype) { case DEVCG_ALLOW: - if (!parent_has_perm(devcgroup, &ex)) + if (!may_allow_all(parent)) return -EPERM; dev_exception_clean(devcgroup); + rc = dev_exceptions_copy(&devcgroup->exceptions, + &parent->exceptions); + if (rc) + return rc; devcgroup->behavior = DEVCG_DEFAULT_ALLOW; break; case DEVCG_DENY: