On Thu, Apr 24, 2014 at 03:32:55PM -0400, Aristeu Rozanski wrote:
> In a scenario when the child cgroup is trying to remove an exception
> which will effectively add more access rights, verify if the parent's
> rules allow it.
Can you please elaborate a bit more on how the bug was introduced and
what its implications are? People can't really decipher what the
patch means from the above text.
> +/*
/**
> + * parent_allows_removal - check if the parent cgroup allows an exception to
> + * be removed
Why is devcg using a different comment form from everything else?
/**
* FUNC_NAME - one line description
* @params: description
*
* Long description
*/
> + * @childcg: child cgroup from where the exception will be removed
> + * @ex: exception being removed
> + */
> +static bool parent_allows_removal(struct dev_cgroup *childcg,
> + struct dev_exception_item *ex)
> +{
> + struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css));
> +
> + if (!parent)
> + return true;
> +
> + if (childcg->behavior == DEVCG_DEFAULT_DENY)
> + /* It's always allowed to remove access to devices */
If you don't wanna add {}, move the comment above if.
> + return true;
> +
> + /*
> + * Make sure you're not removing part or a whole exception existing in
> + * the parent cgroup
> + */
> + return !match_exception_partial(&parent->exceptions, ex->type,
> + ex->major, ex->minor, ex->access);
> +}
Thanks.
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html