[Devel] [PATCH RHEL7 COMMIT] ve: device cgroup -- Implement devcgroup_seq_show_ve

Konstantin Khorenko khorenko at odin.com
Mon May 18 13:43:32 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.1
------>
commit bc411f061cc8878edb65db52b8e58ab2fa218186
Author: Cyrill Gorcunov <gorcunov at odin.com>
Date:   Tue May 19 00:43:32 2015 +0400

    ve: device cgroup -- Implement devcgroup_seq_show_ve
    
    In PCS7 cgroups are configured from user space, so there is
    no longer connection from ve to device cgroup via css as
    it was in PCS6. Instead we should open device cgroup explicitly.
    
    https://jira.sw.ru/browse/PSBM-33555
    
    v2 (by vdavydov@):
     - use ve::ve_name because we're switching to UUID based containers
    
    Signed-off-by: Cyrill Gorcunov <gorcunov at odin.com>
    Reviewed-by: Vladimir Davydov <vdavydov at parallels.com>
    
    CC: Konstantin Khorenko <khorenko at odin.com>
    CC: Andrey Vagin <avagin at odin.com>
---
 include/linux/device_cgroup.h |  3 ++-
 kernel/ve/vecalls.c           |  2 +-
 security/device_cgroup.c      | 14 +++++++++++---
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
index bc58c4c..32588bb 100644
--- a/include/linux/device_cgroup.h
+++ b/include/linux/device_cgroup.h
@@ -19,7 +19,8 @@ extern int devcgroup_device_visible(umode_t mode, int major,
 struct cgroup;
 int devcgroup_default_perms_ve(struct cgroup *cgroup);
 int devcgroup_set_perms_ve(struct cgroup *cgroup, unsigned, dev_t, unsigned);
-int devcgroup_seq_show_ve(struct cgroup *cgroup, unsigned veid, struct seq_file *m);
+struct ve_struct;
+int devcgroup_seq_show_ve(struct cgroup *devices_root, struct ve_struct *ve, struct seq_file *m);
 
 #else
 static inline int devcgroup_inode_permission(struct inode *inode, int mask)
diff --git a/kernel/ve/vecalls.c b/kernel/ve/vecalls.c
index 7c574b3..2613a1e 100644
--- a/kernel/ve/vecalls.c
+++ b/kernel/ve/vecalls.c
@@ -891,7 +891,7 @@ static int devperms_seq_show(struct seq_file *m, void *v)
 	if (ve_is_super(ve))
 		seq_printf(m, "%10u b 016 *:*\n%10u c 006 *:*\n", 0, 0);
 	else
-		devcgroup_seq_show_ve(ve->css.cgroup, ve->veid, m);
+		devcgroup_seq_show_ve(devices_root, ve, m);
 
 	return 0;
 }
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 31024f7..33a9883 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -17,6 +17,7 @@
 #include <linux/major.h>
 #include <linux/module.h>
 #include <linux/capability.h>
+#include <linux/ve.h>
 
 #define ACC_MKNOD 1
 #define ACC_READ  2
@@ -1091,10 +1092,16 @@ int devcgroup_set_perms_ve(struct cgroup *cgroup,
 }
 EXPORT_SYMBOL(devcgroup_set_perms_ve);
 
-int devcgroup_seq_show_ve(struct cgroup *cgroup, unsigned veid, struct seq_file *m)
+int devcgroup_seq_show_ve(struct cgroup *devices_root, struct ve_struct *ve, struct seq_file *m)
 {
-	struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
 	struct dev_exception_item *wh;
+	struct dev_cgroup *devcgroup;
+	struct cgroup *cgroup;
+
+	cgroup = cgroup_kernel_open(devices_root, 0, ve_name(ve));
+	if (IS_ERR(cgroup))
+		return PTR_ERR(cgroup);
+	devcgroup = cgroup_to_devcgroup(cgroup);
 
 	rcu_read_lock();
 	list_for_each_entry_rcu(wh, &devcgroup->exceptions, list) {
@@ -1112,12 +1119,13 @@ int devcgroup_seq_show_ve(struct cgroup *cgroup, unsigned veid, struct seq_file
 			perm |= S_IXOTH;
 
 		seq_printf(m, "%10u %c %03o %s:%s\n",
-				veid,
+				ve->veid,
 				type_to_char(wh->type),
 				perm, maj, min);
 	}
 	rcu_read_unlock();
 
+	cgroup_kernel_close(cgroup);
 	return 0;
 }
 EXPORT_SYMBOL(devcgroup_seq_show_ve);

More information about the Devel mailing list