[Devel] [PATCH RHEL7 COMMIT] ve/device_cgroup: kill ACC_QUOTA permission

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jun 17 02:26:15 PDT 2016 

The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.18.2.vz7.14.15
------>
commit 32eb6c887fd633b840453f9011a62d8253ef689c
Author: Andrey Ryabinin <aryabinin at virtuozzo.com>
Date:   Fri Jun 17 13:26:15 2016 +0400

    ve/device_cgroup: kill ACC_QUOTA permission
    
    This is a leftover from PCS6. Currently this code does absolutely
    nothing, so let's remove it.
    
    https://jira.sw.ru/browse/PSBM-48482
    
    Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
    
    khorenko@: keep MAY_QUOTACTL and ACC_QUOTA defines with
    comment about deprecation.
---
 include/linux/fs.h       |  2 +-
 security/device_cgroup.c | 14 +++-----------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/include/linux/fs.h b/include/linux/fs.h
index b035f62..7203dba 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -77,7 +77,7 @@ typedef void (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
 /* called from RCU mode, don't block */
 #define MAY_NOT_BLOCK		0x00000080
 /* for devgroup-vs-openvz only */
-#define MAY_QUOTACTL		0x00010000
+#define MAY_QUOTACTL		0x00010000	/* deprecated */
 #define MAY_MOUNT		0x00020000
 
 /*
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index fc14cdc..8e77d78 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -22,10 +22,10 @@
 #define ACC_MKNOD 1
 #define ACC_READ  2
 #define ACC_WRITE 4
-#define ACC_QUOTA 8
+#define ACC_QUOTA 8	/* deprecated */
 #define ACC_HIDDEN 16
 #define ACC_MOUNT 64
-#define ACC_MASK (ACC_MKNOD | ACC_READ | ACC_WRITE | ACC_QUOTA | ACC_MOUNT)
+#define ACC_MASK (ACC_MKNOD | ACC_READ | ACC_WRITE | ACC_MOUNT)
 
 #define DEV_BLOCK 1
 #define DEV_CHAR  2
@@ -941,8 +941,6 @@ int __devcgroup_inode_permission(struct inode *inode, int mask)
 		access |= ACC_WRITE;
 	if (mask & MAY_READ)
 		access |= ACC_READ;
-	if (mask & MAY_QUOTACTL)
-		access |= ACC_QUOTA;
 	if (mask & MAY_MOUNT)
 		access |= ACC_MOUNT;
 
@@ -962,8 +960,6 @@ int devcgroup_device_permission(umode_t mode, dev_t dev, int mask)
 		access |= ACC_WRITE;
 	if (mask & MAY_READ)
 		access |= ACC_READ;
-	if (mask & MAY_QUOTACTL)
-		access |= ACC_QUOTA;
 
 	return __devcgroup_check_permission(type, MAJOR(dev), MINOR(dev), access);
 }
@@ -972,7 +968,7 @@ int devcgroup_device_visible(umode_t mode, int major, int start_minor, int nr_mi
 {
 	struct dev_cgroup *dev_cgroup;
 	struct dev_exception_item *ex;
-	short access = ACC_READ | ACC_WRITE | ACC_QUOTA;
+	short access = ACC_READ | ACC_WRITE;
 	bool match = false;
 
 	rcu_read_lock();
@@ -1076,8 +1072,6 @@ static unsigned decode_ve_perms(unsigned perm)
 		mask |= ACC_READ;
 	if (perm & S_IWOTH)
 		mask |= ACC_WRITE;
-	if (perm & S_IXGRP)
-		mask |= ACC_QUOTA;
 	if (perm & S_IXUSR)
 		mask |= ACC_MOUNT;
 
@@ -1092,8 +1086,6 @@ static unsigned encode_ve_perms(unsigned mask)
 		perm |= S_IROTH;
 	if (mask & ACC_WRITE)
 		perm |= S_IWOTH;
-	if (mask & ACC_QUOTA)
-		perm |= S_IXGRP;
 	if (mask & ACC_MOUNT)
 		perm |= S_IXUSR;

More information about the Devel mailing list