From ff971be18b7cfd3567d2fc9de3bb0c766dbfced1 Mon Sep 17 00:00:00 2001 From: Aristeu Rozanski Date: Fri, 7 Sep 2012 10:25:03 +1000 Subject: [PATCH] device_cgroup: add "deny_all" in dev_cgroup structure deny_all will determine if the default policy is to deny all device access unless for the ones in the exception list. This variable will be used in the next patches to convert device_cgroup internally into a default policy + rules. Signed-off-by: Aristeu Rozanski Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Signed-off-by: Andrew Morton --- security/device_cgroup.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 442204cc22d9..574acae77a7d 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -42,6 +42,7 @@ struct dev_whitelist_item { struct dev_cgroup { struct cgroup_subsys_state css; struct list_head whitelist; + bool deny_all; }; static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) @@ -178,12 +179,14 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup) wh->minor = wh->major = ~0; wh->type = DEV_ALL; wh->access = ACC_MASK; + dev_cgroup->deny_all = false; list_add(&wh->list, &dev_cgroup->whitelist); } else { parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); mutex_lock(&devcgroup_mutex); ret = dev_whitelist_copy(&dev_cgroup->whitelist, &parent_dev_cgroup->whitelist); + dev_cgroup->deny_all = parent_dev_cgroup->deny_all; mutex_unlock(&devcgroup_mutex); if (ret) { kfree(dev_cgroup); @@ -409,9 +412,11 @@ handle: case DEVCG_ALLOW: if (!parent_has_perm(devcgroup, &wh)) return -EPERM; + devcgroup->deny_all = false; return dev_whitelist_add(devcgroup, &wh); case DEVCG_DENY: dev_whitelist_rm(devcgroup, &wh); + devcgroup->deny_all = true; break; default: return -EINVAL; -- 2.39.5