Pasha,
can you please review those 2 patches?
Thank you!
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 16.12.2022 15:38, Nikolay Borisov wrote:
This is required as the latter would call the former in upcoming
patches.
Signed-off-by: Nikolay Borisov <nikolay.bori...@virtuozzo.com>
---
security/device_cgroup.c | 87 +++++++++++++++++++++-------------------
1 file changed, 46 insertions(+), 41 deletions(-)
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index f9d205f95c25..f7948334e318 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -387,42 +387,45 @@ static int devcgroup_seq_read(struct cgroup *cgroup,
struct cftype *cft,
}
/**
- * match_exception - iterates the exception list trying to match a rule
- * based on type, major, minor and access type. It is
- * considered a match if an exception is found that
- * will contain the entire range of provided parameters.
+ * match_exception_partial - iterates the exception list trying to match a rule
+ * based on type, major, minor and access type. It is
+ * considered a match if an exception's range is
+ * found to contain *any* of the devices specified by
+ * provided parameters. This is used to make sure no
+ * extra access is being granted that is forbidden by
+ * any of the exception list.
* @exceptions: list of exceptions
* @type: device type (DEV_BLOCK or DEV_CHAR)
* @major: device file major number, ~0 to match all
* @minor: device file minor number, ~0 to match all
* @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
*
- * returns: true in case it matches an exception completely
+ * returns: true in case the provided range mat matches an exception completely
*/
-static bool match_exception(struct list_head *exceptions, short type,
- u32 major, u32 minor, short access)
+static bool match_exception_partial(struct list_head *exceptions, short type,
+ u32 major, u32 minor, short access)
{
struct dev_exception_item *ex;
list_for_each_entry_rcu(ex, exceptions, list) {
- short mismatched_bits;
- bool allowed_mount;
-
if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
continue;
if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
continue;
- if (ex->major != ~0 && ex->major != major)
+ /*
+ * We must be sure that both the exception and the provided
+ * range aren't masking all devices
+ */
+ if (ex->major != ~0 && major != ~0 && ex->major != major)
continue;
- if (ex->minor != ~0 && ex->minor != minor)
+ if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
continue;
- /* provided access cannot have more than the exception rule */
- mismatched_bits = access & (~ex->access) & ~ACC_MOUNT;
- allowed_mount = !(mismatched_bits & ~ACC_WRITE) &&
- (ex->access & ACC_MOUNT) &&
- (access & ACC_MOUNT);
-
- if (mismatched_bits && !allowed_mount)
+ /*
+ * In order to make sure the provided range isn't matching
+ * an exception, all its access bits shouldn't match the
+ * exception's access bits
+ */
+ if (!(access & ex->access))
continue;
return true;
}
@@ -430,48 +433,50 @@ static bool match_exception(struct list_head *exceptions,
short type,
}
/**
- * match_exception_partial - iterates the exception list trying to match a rule
- * based on type, major, minor and access type. It is
- * considered a match if an exception's range is
- * found to contain *any* of the devices specified by
- * provided parameters. This is used to make sure no
- * extra access is being granted that is forbidden by
- * any of the exception list.
+ * match_exception - iterates the exception list trying to match a rule
+ * based on type, major, minor and access type. It is
+ * considered a match if an exception is found that
+ * will contain the entire range of provided parameters.
* @exceptions: list of exceptions
* @type: device type (DEV_BLOCK or DEV_CHAR)
* @major: device file major number, ~0 to match all
* @minor: device file minor number, ~0 to match all
* @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
*
- * returns: true in case the provided range mat matches an exception completely
+ * returns: true in case it matches an exception completely
*/
-static bool match_exception_partial(struct list_head *exceptions, short type,
- u32 major, u32 minor, short access)
+static bool match_exception(struct dev_cgroup *dev_cgroup, short type,
+ u32 major, u32 minor, short access)
{
struct dev_exception_item *ex;
+ struct cgroup *cgrp = dev_cgroup->css.cgroup;
+ struct list_head *exceptions = &dev_cgroup->exceptions;
list_for_each_entry_rcu(ex, exceptions, list) {
+ short mismatched_bits;
+ bool allowed_mount;
+
if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
continue;
if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
continue;
- /*
- * We must be sure that both the exception and the provided
- * range aren't masking all devices
- */
- if (ex->major != ~0 && major != ~0 && ex->major != major)
+ if (ex->major != ~0 && ex->major != major)
continue;
- if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
+ if (ex->minor != ~0 && ex->minor != minor)
continue;
- /*
- * In order to make sure the provided range isn't matching
- * an exception, all its access bits shouldn't match the
- * exception's access bits
- */
- if (!(access & ex->access))
+
+ /* provided access cannot have more than the exception rule */
+ mismatched_bits = access & (~ex->access) & ~ACC_MOUNT;
+ allowed_mount = !(mismatched_bits & ~ACC_WRITE) &&
+ (ex->access & ACC_MOUNT) &&
+ (access & ACC_MOUNT);
+
+ if (mismatched_bits && !allowed_mount)
continue;
+
return true;
}
+
return false;
}
--
2.34.1
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
