Most of the other subsystems already keep track of that in some way. We will do that internally and provide a test to determine whether or not our task is in a device cgroup that is not the root one. We can relax some of our checks in that case, trusting that whoever set device cgroup rules will be responsible to control access to their devices. Signed-off-by: Glauber Costa <glommer@xxxxxxxxxxxxx> Cc: Aristeu Rozanski <aris@xxxxxxxxxx> Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx> Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> Cc: Li Zefan <lizefan@xxxxxxxxxx> --- include/linux/security.h | 1 + security/device_cgroup.c | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index eee7478..fe58f71 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -96,6 +96,7 @@ extern int cap_task_setscheduler(struct task_struct *p); extern int cap_task_setioprio(struct task_struct *p, int ioprio); extern int cap_task_setnice(struct task_struct *p, int nice); extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); +bool *task_in_child_devcgroup(struct task_struct *task); struct msghdr; struct sk_buff; diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 1c69e38..03df5b2 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -63,6 +63,16 @@ static inline struct dev_cgroup *task_devcgroup(struct task_struct *task) return css_to_devcgroup(task_subsys_state(task, devices_subsys_id)); } +static struct dev_cgroup *root_devcgroup; +bool task_in_child_devcgroup(struct task_struct *task) +{ + bool ret; + rcu_read_lock(); + ret = task_devcgroup(task) != root_devcgroup; + rcu_read_unlock(); + return ret; +} + struct cgroup_subsys devices_subsys; static int devcgroup_can_attach(struct cgroup *new_cgrp, @@ -197,9 +207,10 @@ static struct cgroup_subsys_state *devcgroup_css_alloc(struct cgroup *cgroup) INIT_LIST_HEAD(&dev_cgroup->exceptions); parent_cgroup = cgroup->parent; - if (parent_cgroup == NULL) + if (parent_cgroup == NULL) { dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW; - else { + root_devcgroup = dev_cgroup; + } else { parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); mutex_lock(&devcgroup_mutex); ret = dev_exceptions_copy(&dev_cgroup->exceptions, -- 1.8.1.2 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html