On Fri, Mar 15, 2013 at 01:13:40PM +0400, Glauber Costa wrote:
> Most of the other subsystems already keep track of that in some way. We
> will do that internally and provide a test to determine whether or not
> our task is in a device cgroup that is not the root one. We can relax
> some of our checks in that case, trusting that whoever set device cgroup
> rules will be responsible to control access to their devices.
>
> Signed-off-by: Glauber Costa <glommer@xxxxxxxxxxxxx>
> Cc: Aristeu Rozanski <aris@xxxxxxxxxx>
> Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx>
> Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
> Cc: Li Zefan <lizefan@xxxxxxxxxx>
> ---
> include/linux/security.h | 1 +
> security/device_cgroup.c | 15 +++++++++++++--
> 2 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index eee7478..fe58f71 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -96,6 +96,7 @@ extern int cap_task_setscheduler(struct task_struct *p);
> extern int cap_task_setioprio(struct task_struct *p, int ioprio);
> extern int cap_task_setnice(struct task_struct *p, int nice);
> extern int cap_vm_enough_memory(struct mm_struct *mm, long pages);
> +bool *task_in_child_devcgroup(struct task_struct *task);
>
> struct msghdr;
> struct sk_buff;
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 1c69e38..03df5b2 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -63,6 +63,16 @@ static inline struct dev_cgroup *task_devcgroup(struct task_struct *task)
> return css_to_devcgroup(task_subsys_state(task, devices_subsys_id));
> }
>
> +static struct dev_cgroup *root_devcgroup;
> +bool task_in_child_devcgroup(struct task_struct *task)
> +{
> + bool ret;
> + rcu_read_lock();
> + ret = task_devcgroup(task) != root_devcgroup;
> + rcu_read_unlock();
> + return ret;
> +}
> +
> struct cgroup_subsys devices_subsys;
>
> static int devcgroup_can_attach(struct cgroup *new_cgrp,
> @@ -197,9 +207,10 @@ static struct cgroup_subsys_state *devcgroup_css_alloc(struct cgroup *cgroup)
> INIT_LIST_HEAD(&dev_cgroup->exceptions);
> parent_cgroup = cgroup->parent;
>
> - if (parent_cgroup == NULL)
> + if (parent_cgroup == NULL) {
> dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
> - else {
> + root_devcgroup = dev_cgroup;
> + } else {
> parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
> mutex_lock(&devcgroup_mutex);
> ret = dev_exceptions_copy(&dev_cgroup->exceptions,
patch looks good
Acked-by: Aristeu Rozanski <aris@xxxxxxxxxx>
--
Aristeu
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
