[Devel] [vz7 PATCH 1/2] devcg: Move match_exception_partial before match_exception PSBM-144033

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jan 18 20:18:02 MSK 2023


Pasha,

can you please review those 2 patches?

Thank you!

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 16.12.2022 15:38, Nikolay Borisov wrote:
> This is required as the latter would call the former in upcoming
> patches.
> 
> Signed-off-by: Nikolay Borisov <nikolay.borisov at virtuozzo.com>
> ---
>   security/device_cgroup.c | 87 +++++++++++++++++++++-------------------
>   1 file changed, 46 insertions(+), 41 deletions(-)
> 
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index f9d205f95c25..f7948334e318 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -387,42 +387,45 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
>   }
> 
>   /**
> - * match_exception	- iterates the exception list trying to match a rule
> - * 			  based on type, major, minor and access type. It is
> - * 			  considered a match if an exception is found that
> - * 			  will contain the entire range of provided parameters.
> + * match_exception_partial - iterates the exception list trying to match a rule
> + * 			     based on type, major, minor and access type. It is
> + * 			     considered a match if an exception's range is
> + * 			     found to contain *any* of the devices specified by
> + * 			     provided parameters. This is used to make sure no
> + * 			     extra access is being granted that is forbidden by
> + * 			     any of the exception list.
>    * @exceptions: list of exceptions
>    * @type: device type (DEV_BLOCK or DEV_CHAR)
>    * @major: device file major number, ~0 to match all
>    * @minor: device file minor number, ~0 to match all
>    * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
>    *
> - * returns: true in case it matches an exception completely
> + * returns: true in case the provided range mat matches an exception completely
>    */
> -static bool match_exception(struct list_head *exceptions, short type,
> -			    u32 major, u32 minor, short access)
> +static bool match_exception_partial(struct list_head *exceptions, short type,
> +				    u32 major, u32 minor, short access)
>   {
>   	struct dev_exception_item *ex;
> 
>   	list_for_each_entry_rcu(ex, exceptions, list) {
> -		short mismatched_bits;
> -		bool allowed_mount;
> -
>   		if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
>   			continue;
>   		if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
>   			continue;
> -		if (ex->major != ~0 && ex->major != major)
> +		/*
> +		 * We must be sure that both the exception and the provided
> +		 * range aren't masking all devices
> +		 */
> +		if (ex->major != ~0 && major != ~0 && ex->major != major)
>   			continue;
> -		if (ex->minor != ~0 && ex->minor != minor)
> +		if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
>   			continue;
> -		/* provided access cannot have more than the exception rule */
> -		mismatched_bits = access & (~ex->access) & ~ACC_MOUNT;
> -		allowed_mount = !(mismatched_bits & ~ACC_WRITE) &&
> -				(ex->access & ACC_MOUNT) &&
> -				(access & ACC_MOUNT);
> -
> -		if (mismatched_bits && !allowed_mount)
> +		/*
> +		 * In order to make sure the provided range isn't matching
> +		 * an exception, all its access bits shouldn't match the
> +		 * exception's access bits
> +		 */
> +		if (!(access & ex->access))
>   			continue;
>   		return true;
>   	}
> @@ -430,48 +433,50 @@ static bool match_exception(struct list_head *exceptions, short type,
>   }
> 
>   /**
> - * match_exception_partial - iterates the exception list trying to match a rule
> - * 			     based on type, major, minor and access type. It is
> - * 			     considered a match if an exception's range is
> - * 			     found to contain *any* of the devices specified by
> - * 			     provided parameters. This is used to make sure no
> - * 			     extra access is being granted that is forbidden by
> - * 			     any of the exception list.
> + * match_exception	- iterates the exception list trying to match a rule
> + *			  based on type, major, minor and access type. It is
> + *			  considered a match if an exception is found that
> + *			  will contain the entire range of provided parameters.
>    * @exceptions: list of exceptions
>    * @type: device type (DEV_BLOCK or DEV_CHAR)
>    * @major: device file major number, ~0 to match all
>    * @minor: device file minor number, ~0 to match all
>    * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
>    *
> - * returns: true in case the provided range mat matches an exception completely
> + * returns: true in case it matches an exception completely
>    */
> -static bool match_exception_partial(struct list_head *exceptions, short type,
> -				    u32 major, u32 minor, short access)
> +static bool match_exception(struct dev_cgroup *dev_cgroup, short type,
> +			    u32 major, u32 minor, short access)
>   {
>   	struct dev_exception_item *ex;
> +	struct cgroup *cgrp = dev_cgroup->css.cgroup;
> +	struct list_head *exceptions = &dev_cgroup->exceptions;
> 
>   	list_for_each_entry_rcu(ex, exceptions, list) {
> +		short mismatched_bits;
> +		bool allowed_mount;
> +
>   		if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
>   			continue;
>   		if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
>   			continue;
> -		/*
> -		 * We must be sure that both the exception and the provided
> -		 * range aren't masking all devices
> -		 */
> -		if (ex->major != ~0 && major != ~0 && ex->major != major)
> +		if (ex->major != ~0 && ex->major != major)
>   			continue;
> -		if (ex->minor != ~0 && minor != ~0 && ex->minor != minor)
> +		if (ex->minor != ~0 && ex->minor != minor)
>   			continue;
> -		/*
> -		 * In order to make sure the provided range isn't matching
> -		 * an exception, all its access bits shouldn't match the
> -		 * exception's access bits
> -		 */
> -		if (!(access & ex->access))
> +
> +		/* provided access cannot have more than the exception rule */
> +		mismatched_bits = access & (~ex->access) & ~ACC_MOUNT;
> +		allowed_mount = !(mismatched_bits & ~ACC_WRITE) &&
> +				(ex->access & ACC_MOUNT) &&
> +				(access & ACC_MOUNT);
> +
> +		if (mismatched_bits && !allowed_mount)
>   			continue;
> +
>   		return true;
>   	}
> +
>   	return false;
>   }
> 
> --
> 2.34.1
> 
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel


More information about the Devel mailing list