[Devel] [vz7 PATCH 1/2] devcg: Move match_exception_partial before match_exception PSBM-144033
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Jan 18 19:59:03 MSK 2023
Sasha,
can you please review those 2 patches?
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 16.12.2022 15:38, Nikolay Borisov wrote:
> This is required as the latter would call the former in upcoming
> patches.
>
> Signed-off-by: Nikolay Borisov <nikolay.borisov at virtuozzo.com>
> ---
> security/device_cgroup.c | 87 +++++++++++++++++++++-------------------
> 1 file changed, 46 insertions(+), 41 deletions(-)
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index f9d205f95c25..f7948334e318 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -387,42 +387,45 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
> }
>
> /**
> - * match_exception - iterates the exception list trying to match a rule
> - * based on type, major, minor and access type. It is
> - * considered a match if an exception is found that
> - * will contain the entire range of provided parameters.
> + * match_exception_partial - iterates the exception list trying to match a rule
> + * based on type, major, minor and access type. It is
> + * considered a match if an exception's range is
> + * found to contain *any* of the devices specified by
> + * provided parameters. This is used to make sure no
> + * extra access is being granted that is forbidden by
> + * any of the exception list.
> * @exceptions: list of exceptions
> * @type: device type (DEV_BLOCK or DEV_CHAR)
> * @major: device file major number, ~0 to match all
> * @minor: device file minor number, ~0 to match all
> * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
> *
> - * returns: true in case it matches an exception completely
> + * returns: true in case the provided range mat matches an exception completely
> */
> -static bool match_exception(struct list_head *exceptions, short type,
> - u32 major, u32 minor, short access)
> +static bool match_exception_partial(struct list_head *exceptions, short type,
> + u32 major, u32 minor, short access)
> {
> struct dev_exception_item *ex;
>
> list_for_each_entry_rcu(ex, exceptions, list) {
> - short mismatched_bits;
> - bool allowed_mount;
> -
> if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
> continue;
> if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
> continue;
> - if (ex->major != ~0 && ex->major != major)
> + /*
> + * We must be sure that both the exception and the provided
> + * range aren't masking all devices
> + */
> + if (ex->major != ~0 && major != ~0 && ex->major != major)
> continue;
> - if (ex->minor != ~0 && ex->minor != minor)
> + if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
> continue;
> - /* provided access cannot have more than the exception rule */
> - mismatched_bits = access & (~ex->access) & ~ACC_MOUNT;
> - allowed_mount = !(mismatched_bits & ~ACC_WRITE) &&
> - (ex->access & ACC_MOUNT) &&
> - (access & ACC_MOUNT);
> -
> - if (mismatched_bits && !allowed_mount)
> + /*
> + * In order to make sure the provided range isn't matching
> + * an exception, all its access bits shouldn't match the
> + * exception's access bits
> + */
> + if (!(access & ex->access))
> continue;
> return true;
> }
> @@ -430,48 +433,50 @@ static bool match_exception(struct list_head *exceptions, short type,
> }
>
> /**
> - * match_exception_partial - iterates the exception list trying to match a rule
> - * based on type, major, minor and access type. It is
> - * considered a match if an exception's range is
> - * found to contain *any* of the devices specified by
> - * provided parameters. This is used to make sure no
> - * extra access is being granted that is forbidden by
> - * any of the exception list.
> + * match_exception - iterates the exception list trying to match a rule
> + * based on type, major, minor and access type. It is
> + * considered a match if an exception is found that
> + * will contain the entire range of provided parameters.
> * @exceptions: list of exceptions
> * @type: device type (DEV_BLOCK or DEV_CHAR)
> * @major: device file major number, ~0 to match all
> * @minor: device file minor number, ~0 to match all
> * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
> *
> - * returns: true in case the provided range mat matches an exception completely
> + * returns: true in case it matches an exception completely
> */
> -static bool match_exception_partial(struct list_head *exceptions, short type,
> - u32 major, u32 minor, short access)
> +static bool match_exception(struct dev_cgroup *dev_cgroup, short type,
> + u32 major, u32 minor, short access)
> {
> struct dev_exception_item *ex;
> + struct cgroup *cgrp = dev_cgroup->css.cgroup;
> + struct list_head *exceptions = &dev_cgroup->exceptions;
>
> list_for_each_entry_rcu(ex, exceptions, list) {
> + short mismatched_bits;
> + bool allowed_mount;
> +
> if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
> continue;
> if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
> continue;
> - /*
> - * We must be sure that both the exception and the provided
> - * range aren't masking all devices
> - */
> - if (ex->major != ~0 && major != ~0 && ex->major != major)
> + if (ex->major != ~0 && ex->major != major)
> continue;
> - if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
> + if (ex->minor != ~0 && ex->minor != minor)
> continue;
> - /*
> - * In order to make sure the provided range isn't matching
> - * an exception, all its access bits shouldn't match the
> - * exception's access bits
> - */
> - if (!(access & ex->access))
> +
> + /* provided access cannot have more than the exception rule */
> + mismatched_bits = access & (~ex->access) & ~ACC_MOUNT;
> + allowed_mount = !(mismatched_bits & ~ACC_WRITE) &&
> + (ex->access & ACC_MOUNT) &&
> + (access & ACC_MOUNT);
> +
> + if (mismatched_bits && !allowed_mount)
> continue;
> +
> return true;
> }
> +
> return false;
> }
>
> --
> 2.34.1
>
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
More information about the Devel
mailing list