Hi
After commit ad676077a2ae4af4bb, when the default policy is to allow,
devices.list contains
"a *:* rwm” even when some exceptions exist. I understand that
without changing this file
syntax it is impossible to present all the data. But maybe we can
change this now?
Extend this syntax by adding +/- on the beginning of the line is
simple and can be really useful.
Dominik
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index cd97929fac66..ecd3613fe079 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -271,24 +271,30 @@ static int devcgroup_seq_show(struct seq_file *m, void *v)
char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
rcu_read_lock();
- /*
- * To preserve the compatibility:
- * - Only show the "all devices" when the default policy is to allow
- * - List the exceptions in case the default policy is to deny
- * This way, the file remains as a "whitelist of devices"
- */
if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
set_access(acc, DEVCG_ACC_MASK);
set_majmin(maj, ~0);
set_majmin(min, ~0);
- seq_printf(m, "%c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL),
+ seq_printf(m, "+ %c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL),
maj, min, acc);
+ list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
+ set_access(acc, ex->access);
+ set_majmin(maj, ex->major);
+ set_majmin(min, ex->minor);
+ seq_printf(m, "- %c %s:%s %s\n", type_to_char(ex->type),
+ maj, min, acc);
+ }
} else {
+ set_access(acc, DEVCG_ACC_MASK);
+ set_majmin(maj, ~0);
+ set_majmin(min, ~0);
+ seq_printf(m, "- %c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL),
+ maj, min, acc);
list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
set_access(acc, ex->access);
set_majmin(maj, ex->major);
set_majmin(min, ex->minor);
- seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
+ seq_printf(m, "+ %c %s:%s %s\n", type_to_char(ex->type),
maj, min, acc);
}
}
