From: aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
To: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Subject: [PATCH 3/4] devcg: save locally saved settings
Date: Thu, 15 Aug 2013 11:34:13 -0400 [thread overview]
Message-ID: <1376580854-30929-4-git-send-email-aris@redhat.com> (raw)
In-Reply-To: <1376580854-30929-1-git-send-email-aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
From: Aristeu Rozanski <arozansk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Whenever writing rules in the current directory, save these rules so it
can be used whenever parent's rules change. This patch prepares for
revalidating the local rules based on parent's current state, which is
not only needed to retain whenever possible the local settings but to
allow moving the group to another part of the tree.
Signed-off-by: Aristeu Rozanski <arozansk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
security/device_cgroup.c | 35 +++++++++++++++++++++++++++++++----
1 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 8461e0f..7f55bb7 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -53,6 +53,7 @@ struct devcg_rules {
struct dev_cgroup {
struct cgroup_subsys_state css;
struct devcg_rules active_rules;
+ struct devcg_rules local_rules;
};
static inline struct list_head *active_exceptions(struct dev_cgroup *devcg)
@@ -62,6 +63,13 @@ static inline struct list_head *active_exceptions(struct dev_cgroup *devcg)
#define active_behavior(devcg) ((devcg)->active_rules.behavior)
+static inline struct list_head *local_exceptions(struct dev_cgroup *devcg)
+{
+ return &(devcg->local_rules.exceptions);
+}
+
+#define local_behavior(devcg) ((devcg)->local_rules.behavior)
+
static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
{
return s ? container_of(s, struct dev_cgroup, css) : NULL;
@@ -168,16 +176,22 @@ static void dev_exception_rm(struct list_head *exceptions,
}
}
-static void __dev_exception_clean(struct dev_cgroup *dev_cgroup)
+static void __dev_exception_clean_one(struct list_head *exceptions)
{
struct dev_exception_item *ex, *tmp;
- list_for_each_entry_safe(ex, tmp, active_exceptions(dev_cgroup), list) {
+ list_for_each_entry_safe(ex, tmp, exceptions, list) {
list_del_rcu(&ex->list);
kfree_rcu(ex, rcu);
}
}
+static void __dev_exception_clean(struct dev_cgroup *dev_cgroup)
+{
+ __dev_exception_clean_one(active_exceptions(dev_cgroup));
+ __dev_exception_clean_one(local_exceptions(dev_cgroup));
+}
+
/**
* dev_exception_clean - frees all entries of the exception list
* @dev_cgroup: dev_cgroup with the exception list to be cleaned
@@ -245,6 +259,8 @@ devcgroup_css_alloc(struct cgroup_subsys_state *parent_css)
return ERR_PTR(-ENOMEM);
INIT_LIST_HEAD(active_exceptions(dev_cgroup));
active_behavior(dev_cgroup) = DEVCG_DEFAULT_NONE;
+ INIT_LIST_HEAD(local_exceptions(dev_cgroup));
+ local_behavior(dev_cgroup) = DEVCG_DEFAULT_NONE;
return &dev_cgroup->css;
}
@@ -546,6 +562,9 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
return -EPERM;
dev_exception_clean(devcgroup);
active_behavior(devcgroup) = DEVCG_DEFAULT_ALLOW;
+ if (local_behavior(devcgroup) == DEVCG_DEFAULT_DENY)
+ __dev_exception_clean_one(local_exceptions(devcgroup));
+ local_behavior(devcgroup) = DEVCG_DEFAULT_ALLOW;
if (!parent)
break;
@@ -560,6 +579,9 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
dev_exception_clean(devcgroup);
active_behavior(devcgroup) = DEVCG_DEFAULT_DENY;
+ if (local_behavior(devcgroup) == DEVCG_DEFAULT_ALLOW)
+ __dev_exception_clean_one(local_exceptions(devcgroup));
+ local_behavior(devcgroup) = DEVCG_DEFAULT_DENY;
break;
default:
return -EINVAL;
@@ -650,9 +672,11 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
*/
if (active_behavior(devcgroup) == DEVCG_DEFAULT_ALLOW) {
dev_exception_rm(active_exceptions(devcgroup), &ex);
+ dev_exception_rm(local_exceptions(devcgroup), &ex);
return 0;
}
rc = dev_exception_add(active_exceptions(devcgroup), &ex);
+ rc = dev_exception_add(local_exceptions(devcgroup), &ex);
break;
case DEVCG_DENY:
/*
@@ -660,10 +684,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
* an matching exception instead. And be silent about it: we
* don't want to break compatibility
*/
- if (active_behavior(devcgroup) == DEVCG_DEFAULT_DENY)
+ if (active_behavior(devcgroup) == DEVCG_DEFAULT_DENY) {
dev_exception_rm(active_exceptions(devcgroup), &ex);
- else
+ dev_exception_rm(local_exceptions(devcgroup), &ex);
+ } else {
rc = dev_exception_add(active_exceptions(devcgroup), &ex);
+ rc = dev_exception_add(local_exceptions(devcgroup), &ex);
+ }
if (rc)
break;
--
1.7.1
next prev parent reply other threads:[~2013-08-15 15:34 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-15 15:34 [PATCH 0/4] devcg: Store local settings for each device cgroup aris-H+wXaHxf7aLQT0dZR+AlfA
[not found] ` <1376580854-30929-1-git-send-email-aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-15 15:34 ` [PATCH 1/4] devcg: move behavior and exceptions into its own structure aris-H+wXaHxf7aLQT0dZR+AlfA
2013-08-15 15:34 ` [PATCH 2/4] devcg: make dev_exception_ functions to use lists aris-H+wXaHxf7aLQT0dZR+AlfA
2013-08-15 15:34 ` aris-H+wXaHxf7aLQT0dZR+AlfA [this message]
2013-08-15 15:34 ` [PATCH 4/4] devcg: try to reapply local settings aris-H+wXaHxf7aLQT0dZR+AlfA
2013-08-15 19:59 ` [PATCH 0/4] devcg: Store local settings for each device cgroup Tejun Heo
[not found] ` <20130815195941.GA10977-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2013-08-15 20:48 ` Aristeu Rozanski
[not found] ` <20130815204804.GO7878-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-15 21:09 ` Tejun Heo
[not found] ` <20130815210937.GB10977-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2013-08-16 15:20 ` Aristeu Rozanski
[not found] ` <20130816152025.GC7878-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-16 15:47 ` Tejun Heo
[not found] ` <20130816154757.GG2505-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2013-08-16 16:02 ` Aristeu Rozanski
[not found] ` <20130816160204.GE7878-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-16 16:09 ` Tejun Heo
[not found] ` <20130816160950.GH2505-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2013-08-19 2:53 ` Li Zefan
[not found] ` <52118892.7050909-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2013-08-19 13:38 ` Aristeu Rozanski
2013-08-19 17:12 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1376580854-30929-4-git-send-email-aris@redhat.com \
--to=aris-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox