Re: [PATCH v2 3/4] device_cgroup: Export devcgroup_check_permission

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 24, 2019 at 03:54:47PM +0000, Kasiviswanathan, Harish wrote:
> Hi Tejun,
> 
> Can you please review this? You and Roman acked this patch before. It will be great if I can Reviewed-by, so that I can upstream this through Alex Deucher's amd-staging-drm-next and Dave Airlie's drm-next trees
> 
> Thanks,
> Harish

Hello, Harish!

If it can help, please, feel free to use
Reviewed-by: Roman Gushchin <guro@xxxxxx>

Thanks!

> 
> 
> -----Original Message-----
> From: Kasiviswanathan, Harish <Harish.Kasiviswanathan@xxxxxxx> 
> Sent: Monday, September 16, 2019 2:06 PM
> To: tj@xxxxxxxxxx; Deucher, Alexander <Alexander.Deucher@xxxxxxx>; airlied@xxxxxxxxxx
> Cc: cgroups@xxxxxxxxxxxxxxx; amd-gfx@xxxxxxxxxxxxxxxxxxxxx; Kasiviswanathan, Harish <Harish.Kasiviswanathan@xxxxxxx>
> Subject: [PATCH v2 3/4] device_cgroup: Export devcgroup_check_permission
> 
> For AMD compute (amdkfd) driver.
> 
> All AMD compute devices are exported via single device node /dev/kfd. As
> a result devices cannot be controlled individually using device cgroup.
> 
> AMD compute devices will rely on its graphics counterpart that exposes
> /dev/dri/renderN node for each device. For each task (based on its
> cgroup), KFD driver will check if /dev/dri/renderN node is accessible
> before exposing it.
> 
> Change-Id: I9ae283df550b2c122d67870b0cfa316bfbf3b614
> Acked-by: Felix Kuehling <Felix.Kuehling@xxxxxxx>
> Acked-by: Tejun Heo <tj@xxxxxxxxxx>
> Acked-by: Roman Gushchin <guro@xxxxxx>
> Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@xxxxxxx>
> ---
>  include/linux/device_cgroup.h | 19 ++++---------------
>  security/device_cgroup.c      | 15 +++++++++++++--
>  2 files changed, 17 insertions(+), 17 deletions(-)
> 
> diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
> index 8557efe096dc..fa35b52e0002 100644
> --- a/include/linux/device_cgroup.h
> +++ b/include/linux/device_cgroup.h
> @@ -12,26 +12,15 @@
>  #define DEVCG_DEV_ALL   4  /* this represents all devices */
>  
>  #ifdef CONFIG_CGROUP_DEVICE
> -extern int __devcgroup_check_permission(short type, u32 major, u32 minor,
> -					short access);
> +int devcgroup_check_permission(short type, u32 major, u32 minor,
> +			       short access);
>  #else
> -static inline int __devcgroup_check_permission(short type, u32 major, u32 minor,
> -					       short access)
> +static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
> +					     short access)
>  { return 0; }
>  #endif
>  
>  #if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
> -static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
> -					     short access)
> -{
> -	int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
> -
> -	if (rc)
> -		return -EPERM;
> -
> -	return __devcgroup_check_permission(type, major, minor, access);
> -}
> -
>  static inline int devcgroup_inode_permission(struct inode *inode, int mask)
>  {
>  	short type, access = 0;
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index dc28914fa72e..04dd29bf7f06 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -801,8 +801,8 @@ struct cgroup_subsys devices_cgrp_subsys = {
>   *
>   * returns 0 on success, -EPERM case the operation is not permitted
>   */
> -int __devcgroup_check_permission(short type, u32 major, u32 minor,
> -				 short access)
> +static int __devcgroup_check_permission(short type, u32 major, u32 minor,
> +					short access)
>  {
>  	struct dev_cgroup *dev_cgroup;
>  	bool rc;
> @@ -824,3 +824,14 @@ int __devcgroup_check_permission(short type, u32 major, u32 minor,
>  
>  	return 0;
>  }
> +
> +int devcgroup_check_permission(short type, u32 major, u32 minor, short access)
> +{
> +	int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
> +
> +	if (rc)
> +		return -EPERM;
> +
> +	return __devcgroup_check_permission(type, major, minor, access);
> +}
> +EXPORT_SYMBOL(devcgroup_check_permission);
> -- 
> 2.17.1
> 




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]     [Monitors]

  Powered by Linux