diff options
| author | Aristeu Rozanski | 2012-10-04 19:15:20 -0500 |
|---|---|---|
| committer | Linus Torvalds | 2012-10-05 13:05:14 -0500 |
| commit | db9aeca97a58563e1ab927d157c9b5048f233e73 (patch) | |
| tree | 6569621429efe0e6cc0529b78c50939913f0bd35 /security/device_cgroup.c | |
| parent | ad676077a2ae4af4bb6627486ce19ccce04f1efe (diff) | |
| download | am43-linux-kernel-db9aeca97a58563e1ab927d157c9b5048f233e73.tar.gz am43-linux-kernel-db9aeca97a58563e1ab927d157c9b5048f233e73.tar.xz am43-linux-kernel-db9aeca97a58563e1ab927d157c9b5048f233e73.zip | |
device_cgroup: rename whitelist to exception list
This patch replaces the "whitelist" usage in the code and comments and replace
them by exception list related information.
Signed-off-by: Aristeu Rozanski <aris@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Li Zefan <lizefan@huawei.com>
Cc: James Morris <jmorris@namei.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/device_cgroup.c')
| -rw-r--r-- | security/device_cgroup.c | 198 |
1 files changed, 99 insertions, 99 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 91cf803c343..44dfc415a37 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
| @@ -26,12 +26,12 @@ | |||
| 26 | static DEFINE_MUTEX(devcgroup_mutex); | 26 | static DEFINE_MUTEX(devcgroup_mutex); |
| 27 | 27 | ||
| 28 | /* | 28 | /* |
| 29 | * whitelist locking rules: | 29 | * exception list locking rules: |
| 30 | * hold devcgroup_mutex for update/read. | 30 | * hold devcgroup_mutex for update/read. |
| 31 | * hold rcu_read_lock() for read. | 31 | * hold rcu_read_lock() for read. |
| 32 | */ | 32 | */ |
| 33 | 33 | ||
| 34 | struct dev_whitelist_item { | 34 | struct dev_exception_item { |
| 35 | u32 major, minor; | 35 | u32 major, minor; |
| 36 | short type; | 36 | short type; |
| 37 | short access; | 37 | short access; |
| @@ -41,7 +41,7 @@ struct dev_whitelist_item { | |||
| 41 | 41 | ||
| 42 | struct dev_cgroup { | 42 | struct dev_cgroup { |
| 43 | struct cgroup_subsys_state css; | 43 | struct cgroup_subsys_state css; |
| 44 | struct list_head whitelist; | 44 | struct list_head exceptions; |
| 45 | bool deny_all; | 45 | bool deny_all; |
| 46 | }; | 46 | }; |
| 47 | 47 | ||
| @@ -75,12 +75,12 @@ static int devcgroup_can_attach(struct cgroup *new_cgrp, | |||
| 75 | /* | 75 | /* |
| 76 | * called under devcgroup_mutex | 76 | * called under devcgroup_mutex |
| 77 | */ | 77 | */ |
| 78 | static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig) | 78 | static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig) |
| 79 | { | 79 | { |
| 80 | struct dev_whitelist_item *wh, *tmp, *new; | 80 | struct dev_exception_item *ex, *tmp, *new; |
| 81 | 81 | ||
| 82 | list_for_each_entry(wh, orig, list) { | 82 | list_for_each_entry(ex, orig, list) { |
| 83 | new = kmemdup(wh, sizeof(*wh), GFP_KERNEL); | 83 | new = kmemdup(ex, sizeof(*ex), GFP_KERNEL); |
| 84 | if (!new) | 84 | if (!new) |
| 85 | goto free_and_exit; | 85 | goto free_and_exit; |
| 86 | list_add_tail(&new->list, dest); | 86 | list_add_tail(&new->list, dest); |
| @@ -89,9 +89,9 @@ static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig) | |||
| 89 | return 0; | 89 | return 0; |
| 90 | 90 | ||
| 91 | free_and_exit: | 91 | free_and_exit: |
| 92 | list_for_each_entry_safe(wh, tmp, dest, list) { | 92 | list_for_each_entry_safe(ex, tmp, dest, list) { |
| 93 | list_del(&wh->list); | 93 | list_del(&ex->list); |
| 94 | kfree(wh); | 94 | kfree(ex); |
| 95 | } | 95 | } |
| 96 | return -ENOMEM; | 96 | return -ENOMEM; |
| 97 | } | 97 | } |
| @@ -99,50 +99,50 @@ free_and_exit: | |||
| 99 | /* | 99 | /* |
| 100 | * called under devcgroup_mutex | 100 | * called under devcgroup_mutex |
| 101 | */ | 101 | */ |
| 102 | static int dev_whitelist_add(struct dev_cgroup *dev_cgroup, | 102 | static int dev_exception_add(struct dev_cgroup *dev_cgroup, |
| 103 | struct dev_whitelist_item *wh) | 103 | struct dev_exception_item *ex) |
| 104 | { | 104 | { |
| 105 | struct dev_whitelist_item *whcopy, *walk; | 105 | struct dev_exception_item *excopy, *walk; |
| 106 | 106 | ||
| 107 | whcopy = kmemdup(wh, sizeof(*wh), GFP_KERNEL); | 107 | excopy = kmemdup(ex, sizeof(*ex), GFP_KERNEL); |
| 108 | if (!whcopy) | 108 | if (!excopy) |
| 109 | return -ENOMEM; | 109 | return -ENOMEM; |
| 110 | 110 | ||
| 111 | list_for_each_entry(walk, &dev_cgroup->whitelist, list) { | 111 | list_for_each_entry(walk, &dev_cgroup->exceptions, list) { |
| 112 | if (walk->type != wh->type) | 112 | if (walk->type != ex->type) |
| 113 | continue; | 113 | continue; |
| 114 | if (walk->major != wh->major) | 114 | if (walk->major != ex->major) |
| 115 | continue; | 115 | continue; |
| 116 | if (walk->minor != wh->minor) | 116 | if (walk->minor != ex->minor) |
| 117 | continue; | 117 | continue; |
| 118 | 118 | ||
| 119 | walk->access |= wh->access; | 119 | walk->access |= ex->access; |
| 120 | kfree(whcopy); | 120 | kfree(excopy); |
| 121 | whcopy = NULL; | 121 | excopy = NULL; |
| 122 | } | 122 | } |
| 123 | 123 | ||
| 124 | if (whcopy != NULL) | 124 | if (excopy != NULL) |
| 125 | list_add_tail_rcu(&whcopy->list, &dev_cgroup->whitelist); | 125 | list_add_tail_rcu(&excopy->list, &dev_cgroup->exceptions); |
| 126 | return 0; | 126 | return 0; |
| 127 | } | 127 | } |
| 128 | 128 | ||
| 129 | /* | 129 | /* |
| 130 | * called under devcgroup_mutex | 130 | * called under devcgroup_mutex |
| 131 | */ | 131 | */ |
| 132 | static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup, | 132 | static void dev_exception_rm(struct dev_cgroup *dev_cgroup, |
| 133 | struct dev_whitelist_item *wh) | 133 | struct dev_exception_item *ex) |
| 134 | { | 134 | { |
| 135 | struct dev_whitelist_item *walk, *tmp; | 135 | struct dev_exception_item *walk, *tmp; |
| 136 | 136 | ||
| 137 | list_for_each_entry_safe(walk, tmp, &dev_cgroup->whitelist, list) { | 137 | list_for_each_entry_safe(walk, tmp, &dev_cgroup->exceptions, list) { |
| 138 | if (walk->type != wh->type) | 138 | if (walk->type != ex->type) |
| 139 | continue; | 139 | continue; |
| 140 | if (walk->major != wh->major) | 140 | if (walk->major != ex->major) |
| 141 | continue; | 141 | continue; |
| 142 | if (walk->minor != wh->minor) | 142 | if (walk->minor != ex->minor) |
| 143 | continue; | 143 | continue; |
| 144 | 144 | ||
| 145 | walk->access &= ~wh->access; | 145 | walk->access &= ~ex->access; |
| 146 | if (!walk->access) { | 146 | if (!walk->access) { |
| 147 | list_del_rcu(&walk->list); | 147 | list_del_rcu(&walk->list); |
| 148 | kfree_rcu(walk, rcu); | 148 | kfree_rcu(walk, rcu); |
| @@ -151,18 +151,18 @@ static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup, | |||
| 151 | } | 151 | } |
| 152 | 152 | ||
| 153 | /** | 153 | /** |
| 154 | * dev_whitelist_clean - frees all entries of the whitelist | 154 | * dev_exception_clean - frees all entries of the exception list |
| 155 | * @dev_cgroup: dev_cgroup with the whitelist to be cleaned | 155 | * @dev_cgroup: dev_cgroup with the exception list to be cleaned |
| 156 | * | 156 | * |
| 157 | * called under devcgroup_mutex | 157 | * called under devcgroup_mutex |
| 158 | */ | 158 | */ |
| 159 | static void dev_whitelist_clean(struct dev_cgroup *dev_cgroup) | 159 | static void dev_exception_clean(struct dev_cgroup *dev_cgroup) |
| 160 | { | 160 | { |
| 161 | struct dev_whitelist_item *wh, *tmp; | 161 | struct dev_exception_item *ex, *tmp; |
| 162 | 162 | ||
| 163 | list_for_each_entry_safe(wh, tmp, &dev_cgroup->whitelist, list) { | 163 | list_for_each_entry_safe(ex, tmp, &dev_cgroup->exceptions, list) { |
| 164 | list_del(&wh->list); | 164 | list_del(&ex->list); |
| 165 | kfree(wh); | 165 | kfree(ex); |
| 166 | } | 166 | } |
| 167 | } | 167 | } |
| 168 | 168 | ||
| @@ -178,7 +178,7 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup) | |||
| 178 | dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL); | 178 | dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL); |
| 179 | if (!dev_cgroup) | 179 | if (!dev_cgroup) |
| 180 | return ERR_PTR(-ENOMEM); | 180 | return ERR_PTR(-ENOMEM); |
| 181 | INIT_LIST_HEAD(&dev_cgroup->whitelist); | 181 | INIT_LIST_HEAD(&dev_cgroup->exceptions); |
| 182 | parent_cgroup = cgroup->parent; | 182 | parent_cgroup = cgroup->parent; |
| 183 | 183 | ||
| 184 | if (parent_cgroup == NULL) | 184 | if (parent_cgroup == NULL) |
| @@ -186,8 +186,8 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup) | |||
| 186 | else { | 186 | else { |
| 187 | parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); | 187 | parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); |
| 188 | mutex_lock(&devcgroup_mutex); | 188 | mutex_lock(&devcgroup_mutex); |
| 189 | ret = dev_whitelist_copy(&dev_cgroup->whitelist, | 189 | ret = dev_exceptions_copy(&dev_cgroup->exceptions, |
| 190 | &parent_dev_cgroup->whitelist); | 190 | &parent_dev_cgroup->exceptions); |
| 191 | dev_cgroup->deny_all = parent_dev_cgroup->deny_all; | 191 | dev_cgroup->deny_all = parent_dev_cgroup->deny_all; |
| 192 | mutex_unlock(&devcgroup_mutex); | 192 | mutex_unlock(&devcgroup_mutex); |
| 193 | if (ret) { | 193 | if (ret) { |
| @@ -204,7 +204,7 @@ static void devcgroup_destroy(struct cgroup *cgroup) | |||
| 204 | struct dev_cgroup *dev_cgroup; | 204 | struct dev_cgroup *dev_cgroup; |
| 205 | 205 | ||
| 206 | dev_cgroup = cgroup_to_devcgroup(cgroup); | 206 | dev_cgroup = cgroup_to_devcgroup(cgroup); |
| 207 | dev_whitelist_clean(dev_cgroup); | 207 | dev_exception_clean(dev_cgroup); |
| 208 | kfree(dev_cgroup); | 208 | kfree(dev_cgroup); |
| 209 | } | 209 | } |
| 210 | 210 | ||
| @@ -250,7 +250,7 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, | |||
| 250 | struct seq_file *m) | 250 | struct seq_file *m) |
| 251 | { | 251 | { |
| 252 | struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup); | 252 | struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup); |
| 253 | struct dev_whitelist_item *wh; | 253 | struct dev_exception_item *ex; |
| 254 | char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN]; | 254 | char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN]; |
| 255 | 255 | ||
| 256 | rcu_read_lock(); | 256 | rcu_read_lock(); |
| @@ -267,11 +267,11 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, | |||
| 267 | seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL), | 267 | seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL), |
| 268 | maj, min, acc); | 268 | maj, min, acc); |
| 269 | } else { | 269 | } else { |
| 270 | list_for_each_entry_rcu(wh, &devcgroup->whitelist, list) { | 270 | list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) { |
| 271 | set_access(acc, wh->access); | 271 | set_access(acc, ex->access); |
| 272 | set_majmin(maj, wh->major); | 272 | set_majmin(maj, ex->major); |
| 273 | set_majmin(min, wh->minor); | 273 | set_majmin(min, ex->minor); |
| 274 | seq_printf(m, "%c %s:%s %s\n", type_to_char(wh->type), | 274 | seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type), |
| 275 | maj, min, acc); | 275 | maj, min, acc); |
| 276 | } | 276 | } |
| 277 | } | 277 | } |
| @@ -281,42 +281,42 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, | |||
| 281 | } | 281 | } |
| 282 | 282 | ||
| 283 | /** | 283 | /** |
| 284 | * may_access_whitelist - verifies if a new rule is part of what is allowed | 284 | * may_access - verifies if a new exception is part of what is allowed |
| 285 | * by a dev cgroup based on the default policy + | 285 | * by a dev cgroup based on the default policy + |
| 286 | * exceptions. This is used to make sure a child cgroup | 286 | * exceptions. This is used to make sure a child cgroup |
| 287 | * won't have more privileges than its parent or to | 287 | * won't have more privileges than its parent or to |
| 288 | * verify if a certain access is allowed. | 288 | * verify if a certain access is allowed. |
| 289 | * @dev_cgroup: dev cgroup to be tested against | 289 | * @dev_cgroup: dev cgroup to be tested against |
| 290 | * @refwh: new rule | 290 | * @refex: new exception |
| 291 | */ | 291 | */ |
| 292 | static int may_access_whitelist(struct dev_cgroup *dev_cgroup, | 292 | static int may_access(struct dev_cgroup *dev_cgroup, |
| 293 | struct dev_whitelist_item *refwh) | 293 | struct dev_exception_item *refex) |
| 294 | { | 294 | { |
| 295 | struct dev_whitelist_item *whitem; | 295 | struct dev_exception_item *ex; |
| 296 | bool match = false; | 296 | bool match = false; |
| 297 | 297 | ||
| 298 | list_for_each_entry(whitem, &dev_cgroup->whitelist, list) { | 298 | list_for_each_entry(ex, &dev_cgroup->exceptions, list) { |
| 299 | if ((refwh->type & DEV_BLOCK) && !(whitem->type & DEV_BLOCK)) | 299 | if ((refex->type & DEV_BLOCK) && !(ex->type & DEV_BLOCK)) |
| 300 | continue; | 300 | continue; |
| 301 | if ((refwh->type & DEV_CHAR) && !(whitem->type & DEV_CHAR)) | 301 | if ((refex->type & DEV_CHAR) && !(ex->type & DEV_CHAR)) |
| 302 | continue; | 302 | continue; |
| 303 | if (whitem->major != ~0 && whitem->major != refwh->major) | 303 | if (ex->major != ~0 && ex->major != refex->major) |
| 304 | continue; | 304 | continue; |
| 305 | if (whitem->minor != ~0 && whitem->minor != refwh->minor) | 305 | if (ex->minor != ~0 && ex->minor != refex->minor) |
| 306 | continue; | 306 | continue; |
| 307 | if (refwh->access & (~whitem->access)) | 307 | if (refex->access & (~ex->access)) |
| 308 | continue; | 308 | continue; |
| 309 | match = true; | 309 | match = true; |
| 310 | break; | 310 | break; |
| 311 | } | 311 | } |
| 312 | 312 | ||
| 313 | /* | 313 | /* |
| 314 | * In two cases we'll consider this new rule valid: | 314 | * In two cases we'll consider this new exception valid: |
| 315 | * - the dev cgroup has its default policy to allow + exception list: | 315 | * - the dev cgroup has its default policy to allow + exception list: |
| 316 | * the new rule should *not* match any of the exceptions | 316 | * the new exception should *not* match any of the exceptions |
| 317 | * (!deny_all, !match) | 317 | * (!deny_all, !match) |
| 318 | * - the dev cgroup has its default policy to deny + exception list: | 318 | * - the dev cgroup has its default policy to deny + exception list: |
| 319 | * the new rule *should* match the exceptions | 319 | * the new exception *should* match the exceptions |
| 320 | * (deny_all, match) | 320 | * (deny_all, match) |
| 321 | */ | 321 | */ |
| 322 | if (dev_cgroup->deny_all == match) | 322 | if (dev_cgroup->deny_all == match) |
| @@ -326,11 +326,11 @@ static int may_access_whitelist(struct dev_cgroup *dev_cgroup, | |||
| 326 | 326 | ||
| 327 | /* | 327 | /* |
| 328 | * parent_has_perm: | 328 | * parent_has_perm: |
| 329 | * when adding a new allow rule to a device whitelist, the rule | 329 | * when adding a new allow rule to a device exception list, the rule |
| 330 | * must be allowed in the parent device | 330 | * must be allowed in the parent device |
| 331 | */ | 331 | */ |
| 332 | static int parent_has_perm(struct dev_cgroup *childcg, | 332 | static int parent_has_perm(struct dev_cgroup *childcg, |
| 333 | struct dev_whitelist_item *wh) | 333 | struct dev_exception_item *ex) |
| 334 | { | 334 | { |
| 335 | struct cgroup *pcg = childcg->css.cgroup->parent; | 335 | struct cgroup *pcg = childcg->css.cgroup->parent; |
| 336 | struct dev_cgroup *parent; | 336 | struct dev_cgroup *parent; |
| @@ -338,17 +338,17 @@ static int parent_has_perm(struct dev_cgroup *childcg, | |||
| 338 | if (!pcg) | 338 | if (!pcg) |
| 339 | return 1; | 339 | return 1; |
| 340 | parent = cgroup_to_devcgroup(pcg); | 340 | parent = cgroup_to_devcgroup(pcg); |
| 341 | return may_access_whitelist(parent, wh); | 341 | return may_access(parent, ex); |
| 342 | } | 342 | } |
| 343 | 343 | ||
| 344 | /* | 344 | /* |
| 345 | * Modify the whitelist using allow/deny rules. | 345 | * Modify the exception list using allow/deny rules. |
| 346 | * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD | 346 | * CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD |
| 347 | * so we can give a container CAP_MKNOD to let it create devices but not | 347 | * so we can give a container CAP_MKNOD to let it create devices but not |
| 348 | * modify the whitelist. | 348 | * modify the exception list. |
| 349 | * It seems likely we'll want to add a CAP_CONTAINER capability to allow | 349 | * It seems likely we'll want to add a CAP_CONTAINER capability to allow |
| 350 | * us to also grant CAP_SYS_ADMIN to containers without giving away the | 350 | * us to also grant CAP_SYS_ADMIN to containers without giving away the |
| 351 | * device whitelist controls, but for now we'll stick with CAP_SYS_ADMIN | 351 | * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN |
| 352 | * | 352 | * |
| 353 | * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting | 353 | * Taking rules away is always allowed (given CAP_SYS_ADMIN). Granting |
| 354 | * new access is only allowed if you're in the top-level cgroup, or your | 354 | * new access is only allowed if you're in the top-level cgroup, or your |
| @@ -360,25 +360,25 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 360 | const char *b; | 360 | const char *b; |
| 361 | char *endp; | 361 | char *endp; |
| 362 | int count; | 362 | int count; |
| 363 | struct dev_whitelist_item wh; | 363 | struct dev_exception_item ex; |
| 364 | 364 | ||
| 365 | if (!capable(CAP_SYS_ADMIN)) | 365 | if (!capable(CAP_SYS_ADMIN)) |
| 366 | return -EPERM; | 366 | return -EPERM; |
| 367 | 367 | ||
| 368 | memset(&wh, 0, sizeof(wh)); | 368 | memset(&ex, 0, sizeof(ex)); |
| 369 | b = buffer; | 369 | b = buffer; |
| 370 | 370 | ||
| 371 | switch (*b) { | 371 | switch (*b) { |
| 372 | case 'a': | 372 | case 'a': |
| 373 | switch (filetype) { | 373 | switch (filetype) { |
| 374 | case DEVCG_ALLOW: | 374 | case DEVCG_ALLOW: |
| 375 | if (!parent_has_perm(devcgroup, &wh)) | 375 | if (!parent_has_perm(devcgroup, &ex)) |
| 376 | return -EPERM; | 376 | return -EPERM; |
| 377 | dev_whitelist_clean(devcgroup); | 377 | dev_exception_clean(devcgroup); |
| 378 | devcgroup->deny_all = false; | 378 | devcgroup->deny_all = false; |
| 379 | break; | 379 | break; |
| 380 | case DEVCG_DENY: | 380 | case DEVCG_DENY: |
| 381 | dev_whitelist_clean(devcgroup); | 381 | dev_exception_clean(devcgroup); |
| 382 | devcgroup->deny_all = true; | 382 | devcgroup->deny_all = true; |
| 383 | break; | 383 | break; |
| 384 | default: | 384 | default: |
| @@ -386,10 +386,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 386 | } | 386 | } |
| 387 | return 0; | 387 | return 0; |
| 388 | case 'b': | 388 | case 'b': |
| 389 | wh.type = DEV_BLOCK; | 389 | ex.type = DEV_BLOCK; |
| 390 | break; | 390 | break; |
| 391 | case 'c': | 391 | case 'c': |
| 392 | wh.type = DEV_CHAR; | 392 | ex.type = DEV_CHAR; |
| 393 | break; | 393 | break; |
| 394 | default: | 394 | default: |
| 395 | return -EINVAL; | 395 | return -EINVAL; |
| @@ -399,10 +399,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 399 | return -EINVAL; | 399 | return -EINVAL; |
| 400 | b++; | 400 | b++; |
| 401 | if (*b == '*') { | 401 | if (*b == '*') { |
| 402 | wh.major = ~0; | 402 | ex.major = ~0; |
| 403 | b++; | 403 | b++; |
| 404 | } else if (isdigit(*b)) { | 404 | } else if (isdigit(*b)) { |
| 405 | wh.major = simple_strtoul(b, &endp, 10); | 405 | ex.major = simple_strtoul(b, &endp, 10); |
| 406 | b = endp; | 406 | b = endp; |
| 407 | } else { | 407 | } else { |
| 408 | return -EINVAL; | 408 | return -EINVAL; |
| @@ -413,10 +413,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 413 | 413 | ||
| 414 | /* read minor */ | 414 | /* read minor */ |
| 415 | if (*b == '*') { | 415 | if (*b == '*') { |
| 416 | wh.minor = ~0; | 416 | ex.minor = ~0; |
| 417 | b++; | 417 | b++; |
| 418 | } else if (isdigit(*b)) { | 418 | } else if (isdigit(*b)) { |
| 419 | wh.minor = simple_strtoul(b, &endp, 10); | 419 | ex.minor = simple_strtoul(b, &endp, 10); |
| 420 | b = endp; | 420 | b = endp; |
| 421 | } else { | 421 | } else { |
| 422 | return -EINVAL; | 422 | return -EINVAL; |
| @@ -426,13 +426,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 426 | for (b++, count = 0; count < 3; count++, b++) { | 426 | for (b++, count = 0; count < 3; count++, b++) { |
| 427 | switch (*b) { | 427 | switch (*b) { |
| 428 | case 'r': | 428 | case 'r': |
| 429 | wh.access |= ACC_READ; | 429 | ex.access |= ACC_READ; |
| 430 | break; | 430 | break; |
| 431 | case 'w': | 431 | case 'w': |
| 432 | wh.access |= ACC_WRITE; | 432 | ex.access |= ACC_WRITE; |
| 433 | break; | 433 | break; |
| 434 | case 'm': | 434 | case 'm': |
| 435 | wh.access |= ACC_MKNOD; | 435 | ex.access |= ACC_MKNOD; |
| 436 | break; | 436 | break; |
| 437 | case '\n': | 437 | case '\n': |
| 438 | case '\0': | 438 | case '\0': |
| @@ -445,7 +445,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 445 | 445 | ||
| 446 | switch (filetype) { | 446 | switch (filetype) { |
| 447 | case DEVCG_ALLOW: | 447 | case DEVCG_ALLOW: |
| 448 | if (!parent_has_perm(devcgroup, &wh)) | 448 | if (!parent_has_perm(devcgroup, &ex)) |
| 449 | return -EPERM; | 449 | return -EPERM; |
| 450 | /* | 450 | /* |
| 451 | * If the default policy is to allow by default, try to remove | 451 | * If the default policy is to allow by default, try to remove |
| @@ -453,10 +453,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 453 | * don't want to break compatibility | 453 | * don't want to break compatibility |
| 454 | */ | 454 | */ |
| 455 | if (devcgroup->deny_all == false) { | 455 | if (devcgroup->deny_all == false) { |
| 456 | dev_whitelist_rm(devcgroup, &wh); | 456 | dev_exception_rm(devcgroup, &ex); |
| 457 | return 0; | 457 | return 0; |
| 458 | } | 458 | } |
| 459 | return dev_whitelist_add(devcgroup, &wh); | 459 | return dev_exception_add(devcgroup, &ex); |
| 460 | case DEVCG_DENY: | 460 | case DEVCG_DENY: |
| 461 | /* | 461 | /* |
| 462 | * If the default policy is to deny by default, try to remove | 462 | * If the default policy is to deny by default, try to remove |
| @@ -464,10 +464,10 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, | |||
| 464 | * don't want to break compatibility | 464 | * don't want to break compatibility |
| 465 | */ | 465 | */ |
| 466 | if (devcgroup->deny_all == true) { | 466 | if (devcgroup->deny_all == true) { |
| 467 | dev_whitelist_rm(devcgroup, &wh); | 467 | dev_exception_rm(devcgroup, &ex); |
| 468 | return 0; | 468 | return 0; |
| 469 | } | 469 | } |
| 470 | return dev_whitelist_add(devcgroup, &wh); | 470 | return dev_exception_add(devcgroup, &ex); |
| 471 | default: | 471 | default: |
| 472 | return -EINVAL; | 472 | return -EINVAL; |
| 473 | } | 473 | } |
| @@ -537,17 +537,17 @@ static int __devcgroup_check_permission(struct dev_cgroup *dev_cgroup, | |||
| 537 | short type, u32 major, u32 minor, | 537 | short type, u32 major, u32 minor, |
| 538 | short access) | 538 | short access) |
| 539 | { | 539 | { |
| 540 | struct dev_whitelist_item wh; | 540 | struct dev_exception_item ex; |
| 541 | int rc; | 541 | int rc; |
| 542 | 542 | ||
| 543 | memset(&wh, 0, sizeof(wh)); | 543 | memset(&ex, 0, sizeof(ex)); |
| 544 | wh.type = type; | 544 | ex.type = type; |
| 545 | wh.major = major; | 545 | ex.major = major; |
| 546 | wh.minor = minor; | 546 | ex.minor = minor; |
| 547 | wh.access = access; | 547 | ex.access = access; |
| 548 | 548 | ||
| 549 | rcu_read_lock(); | 549 | rcu_read_lock(); |
| 550 | rc = may_access_whitelist(dev_cgroup, &wh); | 550 | rc = may_access(dev_cgroup, &ex); |
| 551 | rcu_read_unlock(); | 551 | rcu_read_unlock(); |
| 552 | 552 | ||
| 553 | if (!rc) | 553 | if (!rc) |