[Devel] [vz7 PATCH 1/2] devcg: Move match_exception_partial before match_exception PSBM-144033

Nikolay Borisov nikolay.borisov at virtuozzo.com
Fri Dec 16 17:38:42 MSK 2022 

This is required as the latter would call the former in upcoming
patches.

Signed-off-by: Nikolay Borisov <nikolay.borisov at virtuozzo.com>
---
 security/device_cgroup.c | 87 +++++++++++++++++++++-------------------
 1 file changed, 46 insertions(+), 41 deletions(-)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index f9d205f95c25..f7948334e318 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -387,42 +387,45 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
 }

 /**
- * match_exception	- iterates the exception list trying to match a rule
- * 			  based on type, major, minor and access type. It is
- * 			  considered a match if an exception is found that
- * 			  will contain the entire range of provided parameters.
+ * match_exception_partial - iterates the exception list trying to match a rule
+ * 			     based on type, major, minor and access type. It is
+ * 			     considered a match if an exception's range is
+ * 			     found to contain *any* of the devices specified by
+ * 			     provided parameters. This is used to make sure no
+ * 			     extra access is being granted that is forbidden by
+ * 			     any of the exception list.
  * @exceptions: list of exceptions
  * @type: device type (DEV_BLOCK or DEV_CHAR)
  * @major: device file major number, ~0 to match all
  * @minor: device file minor number, ~0 to match all
  * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
  *
- * returns: true in case it matches an exception completely
+ * returns: true in case the provided range mat matches an exception completely
  */
-static bool match_exception(struct list_head *exceptions, short type,
-			    u32 major, u32 minor, short access)
+static bool match_exception_partial(struct list_head *exceptions, short type,
+				    u32 major, u32 minor, short access)
 {
 	struct dev_exception_item *ex;

 	list_for_each_entry_rcu(ex, exceptions, list) {
-		short mismatched_bits;
-		bool allowed_mount;
-
 		if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
 			continue;
 		if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
 			continue;
-		if (ex->major != ~0 && ex->major != major)
+		/*
+		 * We must be sure that both the exception and the provided
+		 * range aren't masking all devices
+		 */
+		if (ex->major != ~0 && major != ~0 && ex->major != major)
 			continue;
-		if (ex->minor != ~0 && ex->minor != minor)
+		if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
 			continue;
-		/* provided access cannot have more than the exception rule */
-		mismatched_bits = access & (~ex->access) & ~ACC_MOUNT;
-		allowed_mount = !(mismatched_bits & ~ACC_WRITE) &&
-				(ex->access & ACC_MOUNT) &&
-				(access & ACC_MOUNT);
-
-		if (mismatched_bits && !allowed_mount)
+		/*
+		 * In order to make sure the provided range isn't matching
+		 * an exception, all its access bits shouldn't match the
+		 * exception's access bits
+		 */
+		if (!(access & ex->access))
 			continue;
 		return true;
 	}
@@ -430,48 +433,50 @@ static bool match_exception(struct list_head *exceptions, short type,
 }

 /**
- * match_exception_partial - iterates the exception list trying to match a rule
- * 			     based on type, major, minor and access type. It is
- * 			     considered a match if an exception's range is
- * 			     found to contain *any* of the devices specified by
- * 			     provided parameters. This is used to make sure no
- * 			     extra access is being granted that is forbidden by
- * 			     any of the exception list.
+ * match_exception	- iterates the exception list trying to match a rule
+ *			  based on type, major, minor and access type. It is
+ *			  considered a match if an exception is found that
+ *			  will contain the entire range of provided parameters.
  * @exceptions: list of exceptions
  * @type: device type (DEV_BLOCK or DEV_CHAR)
  * @major: device file major number, ~0 to match all
  * @minor: device file minor number, ~0 to match all
  * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
  *
- * returns: true in case the provided range mat matches an exception completely
+ * returns: true in case it matches an exception completely
  */
-static bool match_exception_partial(struct list_head *exceptions, short type,
-				    u32 major, u32 minor, short access)
+static bool match_exception(struct dev_cgroup *dev_cgroup, short type,
+			    u32 major, u32 minor, short access)
 {
 	struct dev_exception_item *ex;
+	struct cgroup *cgrp = dev_cgroup->css.cgroup;
+	struct list_head *exceptions = &dev_cgroup->exceptions;

 	list_for_each_entry_rcu(ex, exceptions, list) {
+		short mismatched_bits;
+		bool allowed_mount;
+
 		if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
 			continue;
 		if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
 			continue;
-		/*
-		 * We must be sure that both the exception and the provided
-		 * range aren't masking all devices
-		 */
-		if (ex->major != ~0 && major != ~0 && ex->major != major)
+		if (ex->major != ~0 && ex->major != major)
 			continue;
-		if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
+		if (ex->minor != ~0 && ex->minor != minor)
 			continue;
-		/*
-		 * In order to make sure the provided range isn't matching
-		 * an exception, all its access bits shouldn't match the
-		 * exception's access bits
-		 */
-		if (!(access & ex->access))
+
+		/* provided access cannot have more than the exception rule */
+		mismatched_bits = access & (~ex->access) & ~ACC_MOUNT;
+		allowed_mount = !(mismatched_bits & ~ACC_WRITE) &&
+				(ex->access & ACC_MOUNT) &&
+				(access & ACC_MOUNT);
+
+		if (mismatched_bits && !allowed_mount)
 			continue;
+
 		return true;
 	}
+
 	return false;
 }

--
2.34.1

More information about the Devel mailing list