[Devel] [PATCH rh7] ve: device cgroup -- Implement devcgroup_seq_show_ve

Mon May 18 10:04:27 PDT 2015

On Mon, May 18, 2015 at 07:43:40PM +0300, Cyrill Gorcunov wrote:
> > 
> > For uuid-named cgroups ve->veid != cgroup name. You should use ve->name
> > instead. Please fix.
> 
> Oh, i forgot about this new approach with uuid containers. Sure will do,
> thank you!

Attached.
-------------- next part --------------
From: Cyrill Gorcunov <gorcunov at odin.com>
Subject: ve: device cgroup -- Implement devcgroup_seq_show_ve

In PCS7 cgroups are configured from user space, so there is
no longer connection from ve to device cgroup via css as
it was in PCS6. Instead we should open device cgroup explicitly.

https://jira.sw.ru/browse/PSBM-33555

v2 (by vdavydov@):
 - use ve::ve_name because we're switching to UUID based containers

Signed-off-by: Cyrill Gorcunov <gorcunov at odin.com>
CC: Vladimir Davydov <vdavydov at odin.com>
CC: Konstantin Khorenko <khorenko at odin.com>
CC: Andrey Vagin <avagin at odin.com>
---
 include/linux/device_cgroup.h |    3 ++-
 kernel/ve/vecalls.c           |    2 +-
 security/device_cgroup.c      |   14 +++++++++++---
 3 files changed, 14 insertions(+), 5 deletions(-)

Index: linux-pcs7.git/include/linux/device_cgroup.h
===================================================================

--- linux-pcs7.git.orig/include/linux/device_cgroup.h
+++ linux-pcs7.git/include/linux/device_cgroup.h
@@ -19,7 +19,8 @@ extern int devcgroup_device_visible(umod
 struct cgroup;
 int devcgroup_default_perms_ve(struct cgroup *cgroup);
 int devcgroup_set_perms_ve(struct cgroup *cgroup, unsigned, dev_t, unsigned);
-int devcgroup_seq_show_ve(struct cgroup *cgroup, unsigned veid, struct seq_file *m);
+struct ve_struct;
+int devcgroup_seq_show_ve(struct cgroup *devices_root, struct ve_struct *ve, struct seq_file *m);
 
 #else
 static inline int devcgroup_inode_permission(struct inode *inode, int mask)
Index: linux-pcs7.git/kernel/ve/vecalls.c
===================================================================
--- linux-pcs7.git.orig/kernel/ve/vecalls.c
+++ linux-pcs7.git/kernel/ve/vecalls.c
@@ -891,7 +891,7 @@ static int devperms_seq_show(struct seq_
 	if (ve_is_super(ve))
 		seq_printf(m, "%10u b 016 *:*\n%10u c 006 *:*\n", 0, 0);
 	else
-		devcgroup_seq_show_ve(ve->css.cgroup, ve->veid, m);
+		devcgroup_seq_show_ve(devices_root, ve, m);
 
 	return 0;
 }
Index: linux-pcs7.git/security/device_cgroup.c
===================================================================
--- linux-pcs7.git.orig/security/device_cgroup.c
+++ linux-pcs7.git/security/device_cgroup.c
@@ -17,6 +17,7 @@
 #include <linux/major.h>
 #include <linux/module.h>
 #include <linux/capability.h>
+#include <linux/ve.h>
 
 #define ACC_MKNOD 1
 #define ACC_READ  2
@@ -1091,10 +1092,16 @@ int devcgroup_set_perms_ve(struct cgroup
 }
 EXPORT_SYMBOL(devcgroup_set_perms_ve);
 
-int devcgroup_seq_show_ve(struct cgroup *cgroup, unsigned veid, struct seq_file *m)
+int devcgroup_seq_show_ve(struct cgroup *devices_root, struct ve_struct *ve, struct seq_file *m)
 {
-	struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
 	struct dev_exception_item *wh;
+	struct dev_cgroup *devcgroup;
+	struct cgroup *cgroup;
+
+	cgroup = cgroup_kernel_open(devices_root, 0, ve_name(ve));
+	if (IS_ERR(cgroup))
+		return PTR_ERR(cgroup);
+	devcgroup = cgroup_to_devcgroup(cgroup);
 
 	rcu_read_lock();
 	list_for_each_entry_rcu(wh, &devcgroup->exceptions, list) {
@@ -1112,12 +1119,13 @@ int devcgroup_seq_show_ve(struct cgroup
 			perm |= S_IXOTH;
 
 		seq_printf(m, "%10u %c %03o %s:%s\n",
-				veid,
+				ve->veid,
 				type_to_char(wh->type),
 				perm, maj, min);
 	}
 	rcu_read_unlock();
 
+	cgroup_kernel_close(cgroup);
 	return 0;
 }
 EXPORT_SYMBOL(devcgroup_seq_show_ve);
