Quoting Li Zefan (lizf@xxxxxxxxxxxxxx):
> While walking through the whitelist, if the DEV_ALL item is found,
> no more check is needed.
Right, because the DEV_ALL item always has all permissions.
> Signed-off-by: Li Zefan <lizf@xxxxxxxxxxxxxx>
Acked-by: Serge Hallyn <serue@xxxxxxxxxx>
thanks,
-serge
> ---
> security/device_cgroup.c | 10 ++++++----
> 1 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 5fda7df..b8186ba 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -490,7 +490,7 @@ int devcgroup_inode_permission(struct inode *inode, int mask)
>
> list_for_each_entry_rcu(wh, &dev_cgroup->whitelist, list) {
> if (wh->type & DEV_ALL)
> - goto acc_check;
> + goto found;
> if ((wh->type & DEV_BLOCK) && !S_ISBLK(inode->i_mode))
> continue;
> if ((wh->type & DEV_CHAR) && !S_ISCHR(inode->i_mode))
> @@ -499,11 +499,12 @@ int devcgroup_inode_permission(struct inode *inode, int mask)
> continue;
> if (wh->minor != ~0 && wh->minor != iminor(inode))
> continue;
> -acc_check:
> +
> if ((mask & MAY_WRITE) && !(wh->access & ACC_WRITE))
> continue;
> if ((mask & MAY_READ) && !(wh->access & ACC_READ))
> continue;
> +found:
> rcu_read_unlock();
> return 0;
> }
> @@ -527,7 +528,7 @@ int devcgroup_inode_mknod(int mode, dev_t dev)
>
> list_for_each_entry_rcu(wh, &dev_cgroup->whitelist, list) {
> if (wh->type & DEV_ALL)
> - goto acc_check;
> + goto found;
> if ((wh->type & DEV_BLOCK) && !S_ISBLK(mode))
> continue;
> if ((wh->type & DEV_CHAR) && !S_ISCHR(mode))
> @@ -536,9 +537,10 @@ int devcgroup_inode_mknod(int mode, dev_t dev)
> continue;
> if (wh->minor != ~0 && wh->minor != MINOR(dev))
> continue;
> -acc_check:
> +
> if (!(wh->access & ACC_MKNOD))
> continue;
> +found:
> rcu_read_unlock();
> return 0;
> }
> --
> 1.5.4.rc3
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
