[PATCH 4/5] device_cgroup: make may_access() stronger

From: Aristeu Rozanski
Date: Tue Nov 27 2012 - 15:12:14 EST

Next message: Henrik Rydberg: "Re: [PATCH 02/11] HID: hid-input: simplify hid_input allocation andregistration"
Previous message: Mark Langsdorf: "[PATCH 4/6 v6] arm highbank: add support for pl320 IPC"
In reply to: Serge E. Hallyn: "Re: [PATCH 2/5] device_cgroup: prepare exception list handlingfunctions for two lists"
Next in thread: Aristeu Rozanski: "[PATCH 3/5] device_cgroup: keep track of local group settings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In order to revalidate local exceptions for the hierarchy change propagation,
make may_access() stronger.

Cc: Tejun Heo <tj@xxxxxxxxxx>
Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
Signed-off-by: Aristeu Rozanski <aris@xxxxxxxxxx>

---
security/device_cgroup.c | 36 ++++++++++++++++++++++++------------
1 file changed, 24 insertions(+), 12 deletions(-)

Index: github/security/device_cgroup.c
===================================================================
--- github.orig/security/device_cgroup.c 2012-11-26 17:28:04.399150628 -0500
+++ github/security/device_cgroup.c 2012-11-27 11:57:55.932996663 -0500
@@ -352,13 +352,14 @@
* won't have more privileges than its parent or to
* verify if a certain access is allowed.
* @dev_cgroup: dev cgroup to be tested against
+ * @behavior: behavior of the exception
* @refex: new exception
*/
static int may_access(struct dev_cgroup *dev_cgroup,
struct dev_exception_item *refex)
{
struct dev_exception_item *ex;
- bool match = false;
+ int match = 0;

rcu_lockdep_assert(rcu_read_lock_held() ||
lockdep_is_held(&devcgroup_mutex),
@@ -375,22 +376,33 @@
continue;
if (refex->access & (~ex->access))
continue;
- match = true;
+ match = 1;
break;
}

/*
- * In two cases we'll consider this new exception valid:
- * - the dev cgroup has its default policy to allow + exception list:
- * the new exception should *not* match any of the exceptions
- * (behavior == DEVCG_DEFAULT_ALLOW, !match)
- * - the dev cgroup has its default policy to deny + exception list:
- * the new exception *should* match the exceptions
- * (behavior == DEVCG_DEFAULT_DENY, match)
+ * The only three possibilities are:
+ * devcg->behavior == ALLOW, rule behavior == ALLOW
+ * devcg->behavior == ALLOW, rule behavior == DENY
+ * devcg->behavior == DENY, rule behavior == DENY
+ * the remaining
+ * devcg->behavior == DENY, rule behavior == ALLOW
+ * won't be possible by hierarchy
+ *
+ * Since we want to simplify the code, here're the possibilites to
+ * make easier to understand:
+ *
+ * devcg behavior rule behavior match result
+ * allow allow 1 0
+ * allow allow 0 1
+ * allow deny 1 0
+ * allow deny 0 1
+ * deny deny 1 1
+ * deny deny 0 0
*/
- if ((dev_cgroup->behavior == DEVCG_DEFAULT_DENY) == match)
- return 1;
- return 0;
+ if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW)
+ return !match;
+ return match;
}

/*

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Henrik Rydberg: "Re: [PATCH 02/11] HID: hid-input: simplify hid_input allocation andregistration"
Previous message: Mark Langsdorf: "[PATCH 4/6 v6] arm highbank: add support for pl320 IPC"
In reply to: Serge E. Hallyn: "Re: [PATCH 2/5] device_cgroup: prepare exception list handlingfunctions for two lists"
Next in thread: Aristeu Rozanski: "[PATCH 3/5] device_cgroup: keep track of local group settings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]