Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

device_cgroup: added a new control file, devices.info #358

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

device_cgroup: added a new control file, devices.info #358

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 40 additions & 2 deletions security/device_cgroup.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,7 @@ static void devcgroup_css_free(struct cgroup_subsys_state *css)
#define DEVCG_ALLOW 1
#define DEVCG_DENY 2
#define DEVCG_LIST 3
#define DEVCG_INFO 4

#define MAJMINLEN 13
#define ACCLEN 4
Expand Down Expand Up @@ -305,6 +306,38 @@ static int devcgroup_seq_show(struct seq_file *m, void *v)
return 0;
}

static int devcgroup_seq_info(struct seq_file *m, void *v)
{
struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m));
struct dev_exception_item *ex;
char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN], behavior;

rcu_read_lock();
/*
* Since the .list file remains as a "whitelist of devices"
* getting additional information re: what exceptions to the
* default behavior are present must come from an alternate
* file -- thus, the .info file:
*/
if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
behavior = '-';
seq_printf(m, "ALLOW ALL\n");
} else {
behavior = '+';
seq_printf(m, "DENY ALL\n");
}
list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
set_access(acc, ex->access);
set_majmin(maj, ex->major);
set_majmin(min, ex->minor);
seq_printf(m, "%c %c %s:%s %s\n", behavior, type_to_char(ex->type),
maj, min, acc);
}
rcu_read_unlock();

return 0;
}

/**
* match_exception - iterates the exception list trying to find a complete match
* @exceptions: list of exceptions
Expand Down Expand Up @@ -409,14 +442,14 @@ static bool verify_new_ex(struct dev_cgroup *dev_cgroup,
/*
* new exception in the child doesn't matter, only
* adding extra restrictions
*/
*/
return true;
} else {
/*
* new exception in the child will add more devices
* that can be acessed, so it can't match any of
* parent's exceptions, even slightly
*/
*/
match = match_exception_partial(&dev_cgroup->exceptions,
refex->type,
refex->major,
Expand Down Expand Up @@ -788,6 +821,11 @@ static struct cftype dev_cgroup_files[] = {
.seq_show = devcgroup_seq_show,
.private = DEVCG_LIST,
},
{
.name = "info",
.seq_show = devcgroup_seq_info,
.private = DEVCG_INFO,
},
{ } /* terminate */
};

Expand Down