Message ID | 20221025113101.41132-1-wangweiyang2@huawei.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp938306wru; Tue, 25 Oct 2022 04:05:43 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6eL3l/eJ1L8aajYoaPipllRuotNCkK3/OC+qalsCoEuK/c82sYjSj8lYDwFsDXicheYFE1 X-Received: by 2002:a17:907:2c72:b0:7a4:a4b4:9fcb with SMTP id ib18-20020a1709072c7200b007a4a4b49fcbmr11379623ejc.403.1666695943697; Tue, 25 Oct 2022 04:05:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666695943; cv=none; d=google.com; s=arc-20160816; b=YW4rMqoPHDgkDeoBMGqY32z98W7KcmtlOrxztmvwFhUphb1022Wcz92o63fACQG1B/ Ay7DNbFRXZ5o5MibVQCLN3TFcrHYA7BykEVTWnRYUONCrVCPm9GLqImIn0pXfs91eXyr oaJusLsJhWFNDhfIqXtNpc9YcMJSvjuytOGuBr8gk7q76VHrkKdfXg8YCbgA4LzqUvNd EfQxzQBtIsrrlJC9WBYUpaiaOGdDAI46fd3lTOXoDaRephV98x9MHthr9SXp+utAGfH1 0bEa1RGU2oV1Bdpv4vMpa/8+FhdqsDBhLlaBaSOJ98q/JZgsQ7k9UJnE/a/517UGy55t LNQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=frCaxaac5j5si0HeN1SjHkj14EUiI0DuIwDRo8Q5nvY=; b=bLBgHH0euziRx42F/d5l1QvxAYSbAj82lM4qQTfSO3wFVt7yLwgNiyorG+GX2bOTeK txeDp/wvq8V7GPTgQeIVuDVNFnbSFKPQcWZOMJzoDQI83hqtFbFCzf1qcrCqCUGSf3er YKiPovV4jWBK7/2cnPv7BL1PN9pWrEfCehBtyr7poC31if+yxzmjQ10xtJYPbZGkePmq CHnCWLaO3tbxKYbeWvN0ZLXy34GeuMWtmlw19t1n9Gu9QUZ/F2iQ1be8tEMLEGlpJBW/ 97rGwVryC4x+cAISv/0ANChtNlxawwJLW+nNoPT9ReVPTYfv167olXtzRbSfPJklmX6J vkcA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u19-20020a1709067d1300b00711da52c6e4si2217620ejo.309.2022.10.25.04.05.07; Tue, 25 Oct 2022 04:05:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232221AbiJYLCa (ORCPT <rfc822;lucius.rs.storz@gmail.com> + 99 others); Tue, 25 Oct 2022 07:02:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38126 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230245AbiJYLC2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 25 Oct 2022 07:02:28 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 957F3DFB4B; Tue, 25 Oct 2022 04:02:25 -0700 (PDT) Received: from dggpemm500023.china.huawei.com (unknown [172.30.72.54]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4MxTV22n9xzJn7j; Tue, 25 Oct 2022 18:59:38 +0800 (CST) Received: from dggpemm500001.china.huawei.com (7.185.36.107) by dggpemm500023.china.huawei.com (7.185.36.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 25 Oct 2022 19:02:23 +0800 Received: from octopus.huawei.com (10.67.174.191) by dggpemm500001.china.huawei.com (7.185.36.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 25 Oct 2022 19:02:23 +0800 From: Wang Weiyang <wangweiyang2@huawei.com> To: <paul@paul-moore.com>, <jmorris@namei.org>, <serge@hallyn.com>, <serge.hallyn@canonical.com>, <akpm@linux-foundation.org>, <aris@redhat.com> CC: <linux-security-module@vger.kernel.org>, <linux-kernel@vger.kernel.org> Subject: [PATCH] device_cgroup: Roll back to original exceptions after copy failure Date: Tue, 25 Oct 2022 19:31:01 +0800 Message-ID: <20221025113101.41132-1-wangweiyang2@huawei.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.67.174.191] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To dggpemm500001.china.huawei.com (7.185.36.107) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747657366077227166?= X-GMAIL-MSGID: =?utf-8?q?1747657366077227166?= |
Series |
device_cgroup: Roll back to original exceptions after copy failure
|
|
Commit Message
Wang Weiyang
Oct. 25, 2022, 11:31 a.m. UTC
When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's
exceptions will be cleaned and A's behavior is changed to
DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's
whitelist. If copy failure occurs, just return leaving A to grant
permissions to all devices. And A may grant more permissions than
parent.
Backup A's whitelist and recover original exceptions after copy
failure.
Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior")
Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
---
security/device_cgroup.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
Comments
On Tue, Oct 25, 2022 at 7:02 AM Wang Weiyang <wangweiyang2@huawei.com> wrote: > > When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's > exceptions will be cleaned and A's behavior is changed to > DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's > whitelist. If copy failure occurs, just return leaving A to grant > permissions to all devices. And A may grant more permissions than > parent. > > Backup A's whitelist and recover original exceptions after copy > failure. > > Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") > Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com> > --- > security/device_cgroup.c | 33 +++++++++++++++++++++++++++++---- > 1 file changed, 29 insertions(+), 4 deletions(-) On quick glance this looks reasonable to me, but I'm working with limited time connected to a network so I can't say I've given this a full and proper review; if a third party could spend some time to give this an additional review before I merge it I would greatly appreciate it. > diff --git a/security/device_cgroup.c b/security/device_cgroup.c > index a9f8c63a96d1..bef2b9285fb3 100644 > --- a/security/device_cgroup.c > +++ b/security/device_cgroup.c > @@ -82,6 +82,17 @@ static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig) > return -ENOMEM; > } > > +static void dev_exceptions_move(struct list_head *dest, struct list_head *orig) > +{ > + struct dev_exception_item *ex, *tmp; > + > + lockdep_assert_held(&devcgroup_mutex); > + > + list_for_each_entry_safe(ex, tmp, orig, list) { > + list_move_tail(&ex->list, dest); > + } > +} > + > /* > * called under devcgroup_mutex > */ > @@ -604,11 +615,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, > int count, rc = 0; > struct dev_exception_item ex; > struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); > + struct dev_cgroup tmp_devcgrp; > > if (!capable(CAP_SYS_ADMIN)) > return -EPERM; > > memset(&ex, 0, sizeof(ex)); > + memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp)); > b = buffer; > > switch (*b) { > @@ -620,15 +633,27 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, > > if (!may_allow_all(parent)) > return -EPERM; > - dev_exception_clean(devcgroup); > - devcgroup->behavior = DEVCG_DEFAULT_ALLOW; > - if (!parent) > + if (!parent) { > + devcgroup->behavior = DEVCG_DEFAULT_ALLOW; > + dev_exception_clean(devcgroup); > break; > + } > > + INIT_LIST_HEAD(&tmp_devcgrp.exceptions); > + rc = dev_exceptions_copy(&tmp_devcgrp.exceptions, > + &devcgroup->exceptions); > + if (rc) > + return rc; > + dev_exception_clean(devcgroup); > rc = dev_exceptions_copy(&devcgroup->exceptions, > &parent->exceptions); > - if (rc) > + if (rc) { > + dev_exceptions_move(&devcgroup->exceptions, > + &tmp_devcgrp.exceptions); > return rc; > + } > + devcgroup->behavior = DEVCG_DEFAULT_ALLOW; > + dev_exception_clean(&tmp_devcgrp); > break; > case DEVCG_DENY: > if (css_has_online_children(&devcgroup->css)) > -- > 2.17.1 >
On Tue, Oct 25, 2022 at 07:31:01PM +0800, Wang Weiyang wrote: > When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's > exceptions will be cleaned and A's behavior is changed to > DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's > whitelist. If copy failure occurs, just return leaving A to grant > permissions to all devices. And A may grant more permissions than > parent. > > Backup A's whitelist and recover original exceptions after copy > failure. > > Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") > Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com> > --- > security/device_cgroup.c | 33 +++++++++++++++++++++++++++++---- > 1 file changed, 29 insertions(+), 4 deletions(-) > > diff --git a/security/device_cgroup.c b/security/device_cgroup.c > index a9f8c63a96d1..bef2b9285fb3 100644 > --- a/security/device_cgroup.c > +++ b/security/device_cgroup.c > @@ -82,6 +82,17 @@ static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig) > return -ENOMEM; > } > > +static void dev_exceptions_move(struct list_head *dest, struct list_head *orig) > +{ > + struct dev_exception_item *ex, *tmp; > + > + lockdep_assert_held(&devcgroup_mutex); > + > + list_for_each_entry_safe(ex, tmp, orig, list) { > + list_move_tail(&ex->list, dest); > + } > +} > + > /* > * called under devcgroup_mutex > */ > @@ -604,11 +615,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, > int count, rc = 0; > struct dev_exception_item ex; > struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); > + struct dev_cgroup tmp_devcgrp; > > if (!capable(CAP_SYS_ADMIN)) > return -EPERM; > > memset(&ex, 0, sizeof(ex)); > + memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp)); > b = buffer; > > switch (*b) { > @@ -620,15 +633,27 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, > > if (!may_allow_all(parent)) > return -EPERM; > - dev_exception_clean(devcgroup); > - devcgroup->behavior = DEVCG_DEFAULT_ALLOW; > - if (!parent) > + if (!parent) { > + devcgroup->behavior = DEVCG_DEFAULT_ALLOW; > + dev_exception_clean(devcgroup); > break; > + } > > + INIT_LIST_HEAD(&tmp_devcgrp.exceptions); > + rc = dev_exceptions_copy(&tmp_devcgrp.exceptions, > + &devcgroup->exceptions); > + if (rc) > + return rc; > + dev_exception_clean(devcgroup); > rc = dev_exceptions_copy(&devcgroup->exceptions, > &parent->exceptions); > - if (rc) > + if (rc) { > + dev_exceptions_move(&devcgroup->exceptions, > + &tmp_devcgrp.exceptions); > return rc; > + } > + devcgroup->behavior = DEVCG_DEFAULT_ALLOW; > + dev_exception_clean(&tmp_devcgrp); > break; > case DEVCG_DENY: > if (css_has_online_children(&devcgroup->css)) Reviewed-by: Aristeu Rozanski <aris@redhat.com>
Hi, Paul Can this patch be applied or something to improve? Thanks on 2022/10/28 19:19, Paul Moore wrote: > On Tue, Oct 25, 2022 at 7:02 AM Wang Weiyang <wangweiyang2@huawei.com> wrote: >> >> When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's >> exceptions will be cleaned and A's behavior is changed to >> DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's >> whitelist. If copy failure occurs, just return leaving A to grant >> permissions to all devices. And A may grant more permissions than >> parent. >> >> Backup A's whitelist and recover original exceptions after copy >> failure. >> >> Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") >> Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com> >> --- >> security/device_cgroup.c | 33 +++++++++++++++++++++++++++++---- >> 1 file changed, 29 insertions(+), 4 deletions(-) > > On quick glance this looks reasonable to me, but I'm working with > limited time connected to a network so I can't say I've given this a > full and proper review; if a third party could spend some time to give > this an additional review before I merge it I would greatly appreciate > it. > >> diff --git a/security/device_cgroup.c b/security/device_cgroup.c >> index a9f8c63a96d1..bef2b9285fb3 100644 >> --- a/security/device_cgroup.c >> +++ b/security/device_cgroup.c >> @@ -82,6 +82,17 @@ static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig) >> return -ENOMEM; >> } >> >> +static void dev_exceptions_move(struct list_head *dest, struct list_head *orig) >> +{ >> + struct dev_exception_item *ex, *tmp; >> + >> + lockdep_assert_held(&devcgroup_mutex); >> + >> + list_for_each_entry_safe(ex, tmp, orig, list) { >> + list_move_tail(&ex->list, dest); >> + } >> +} >> + >> /* >> * called under devcgroup_mutex >> */ >> @@ -604,11 +615,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, >> int count, rc = 0; >> struct dev_exception_item ex; >> struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); >> + struct dev_cgroup tmp_devcgrp; >> >> if (!capable(CAP_SYS_ADMIN)) >> return -EPERM; >> >> memset(&ex, 0, sizeof(ex)); >> + memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp)); >> b = buffer; >> >> switch (*b) { >> @@ -620,15 +633,27 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, >> >> if (!may_allow_all(parent)) >> return -EPERM; >> - dev_exception_clean(devcgroup); >> - devcgroup->behavior = DEVCG_DEFAULT_ALLOW; >> - if (!parent) >> + if (!parent) { >> + devcgroup->behavior = DEVCG_DEFAULT_ALLOW; >> + dev_exception_clean(devcgroup); >> break; >> + } >> >> + INIT_LIST_HEAD(&tmp_devcgrp.exceptions); >> + rc = dev_exceptions_copy(&tmp_devcgrp.exceptions, >> + &devcgroup->exceptions); >> + if (rc) >> + return rc; >> + dev_exception_clean(devcgroup); >> rc = dev_exceptions_copy(&devcgroup->exceptions, >> &parent->exceptions); >> - if (rc) >> + if (rc) { >> + dev_exceptions_move(&devcgroup->exceptions, >> + &tmp_devcgrp.exceptions); >> return rc; >> + } >> + devcgroup->behavior = DEVCG_DEFAULT_ALLOW; >> + dev_exception_clean(&tmp_devcgrp); >> break; >> case DEVCG_DENY: >> if (css_has_online_children(&devcgroup->css)) >> -- >> 2.17.1 >> > >
On Mon, Nov 14, 2022 at 10:54 PM wangweiyang <wangweiyang2@huawei.com> wrote: > > Hi, Paul > Can this patch be applied or something to improve? Possibly. I need to find the time to properly review the patch; it's in my queue, I just haven't gotten to it yet. I'll reply to the patch posting with either a note that the patch has been merged, or a set of questions/feedback that needs to be resolved. If you haven't heard from me on the patch, the best thing you can do is exercise patience. > on 2022/10/28 19:19, Paul Moore wrote: > > On Tue, Oct 25, 2022 at 7:02 AM Wang Weiyang <wangweiyang2@huawei.com> wrote: > >> > >> When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's > >> exceptions will be cleaned and A's behavior is changed to > >> DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's > >> whitelist. If copy failure occurs, just return leaving A to grant > >> permissions to all devices. And A may grant more permissions than > >> parent. > >> > >> Backup A's whitelist and recover original exceptions after copy > >> failure. > >> > >> Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") > >> Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com> > >> --- > >> security/device_cgroup.c | 33 +++++++++++++++++++++++++++++---- > >> 1 file changed, 29 insertions(+), 4 deletions(-) > > > > On quick glance this looks reasonable to me, but I'm working with > > limited time connected to a network so I can't say I've given this a > > full and proper review; if a third party could spend some time to give > > this an additional review before I merge it I would greatly appreciate > > it. > > > >> diff --git a/security/device_cgroup.c b/security/device_cgroup.c > >> index a9f8c63a96d1..bef2b9285fb3 100644 > >> --- a/security/device_cgroup.c > >> +++ b/security/device_cgroup.c > >> @@ -82,6 +82,17 @@ static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig) > >> return -ENOMEM; > >> } > >> > >> +static void dev_exceptions_move(struct list_head *dest, struct list_head *orig) > >> +{ > >> + struct dev_exception_item *ex, *tmp; > >> + > >> + lockdep_assert_held(&devcgroup_mutex); > >> + > >> + list_for_each_entry_safe(ex, tmp, orig, list) { > >> + list_move_tail(&ex->list, dest); > >> + } > >> +} > >> + > >> /* > >> * called under devcgroup_mutex > >> */ > >> @@ -604,11 +615,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, > >> int count, rc = 0; > >> struct dev_exception_item ex; > >> struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); > >> + struct dev_cgroup tmp_devcgrp; > >> > >> if (!capable(CAP_SYS_ADMIN)) > >> return -EPERM; > >> > >> memset(&ex, 0, sizeof(ex)); > >> + memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp)); > >> b = buffer; > >> > >> switch (*b) { > >> @@ -620,15 +633,27 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, > >> > >> if (!may_allow_all(parent)) > >> return -EPERM; > >> - dev_exception_clean(devcgroup); > >> - devcgroup->behavior = DEVCG_DEFAULT_ALLOW; > >> - if (!parent) > >> + if (!parent) { > >> + devcgroup->behavior = DEVCG_DEFAULT_ALLOW; > >> + dev_exception_clean(devcgroup); > >> break; > >> + } > >> > >> + INIT_LIST_HEAD(&tmp_devcgrp.exceptions); > >> + rc = dev_exceptions_copy(&tmp_devcgrp.exceptions, > >> + &devcgroup->exceptions); > >> + if (rc) > >> + return rc; > >> + dev_exception_clean(devcgroup); > >> rc = dev_exceptions_copy(&devcgroup->exceptions, > >> &parent->exceptions); > >> - if (rc) > >> + if (rc) { > >> + dev_exceptions_move(&devcgroup->exceptions, > >> + &tmp_devcgrp.exceptions); > >> return rc; > >> + } > >> + devcgroup->behavior = DEVCG_DEFAULT_ALLOW; > >> + dev_exception_clean(&tmp_devcgrp); > >> break; > >> case DEVCG_DENY: > >> if (css_has_online_children(&devcgroup->css)) > >> -- > >> 2.17.1 > >> > > > >
On Tue, Oct 25, 2022 at 7:02 AM Wang Weiyang <wangweiyang2@huawei.com> wrote: > > When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's > exceptions will be cleaned and A's behavior is changed to > DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's > whitelist. If copy failure occurs, just return leaving A to grant > permissions to all devices. And A may grant more permissions than > parent. > > Backup A's whitelist and recover original exceptions after copy > failure. > > Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") > Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com> > --- > security/device_cgroup.c | 33 +++++++++++++++++++++++++++++---- > 1 file changed, 29 insertions(+), 4 deletions(-) Merged into lsm/next, but with a stable@vger tag. Normally I would merge something like this into lsm/stable-X.Y and send it up to Linus after a few days, but I'd really like this to spend some time in linux-next before going up to Linus.
On 2022/11/17 7:33, Paul Moore wrote: > On Tue, Oct 25, 2022 at 7:02 AM Wang Weiyang <wangweiyang2@huawei.com> wrote: >> >> When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's >> exceptions will be cleaned and A's behavior is changed to >> DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's >> whitelist. If copy failure occurs, just return leaving A to grant >> permissions to all devices. And A may grant more permissions than >> parent. >> >> Backup A's whitelist and recover original exceptions after copy >> failure. >> >> Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") >> Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com> >> --- >> security/device_cgroup.c | 33 +++++++++++++++++++++++++++++---- >> 1 file changed, 29 insertions(+), 4 deletions(-) > > Merged into lsm/next, but with a stable@vger tag. Normally I would > merge something like this into lsm/stable-X.Y and send it up to Linus > after a few days, but I'd really like this to spend some time in > linux-next before going up to Linus. Thanks Paul. This sounds fine.
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index a9f8c63a96d1..bef2b9285fb3 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -82,6 +82,17 @@ static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig) return -ENOMEM; } +static void dev_exceptions_move(struct list_head *dest, struct list_head *orig) +{ + struct dev_exception_item *ex, *tmp; + + lockdep_assert_held(&devcgroup_mutex); + + list_for_each_entry_safe(ex, tmp, orig, list) { + list_move_tail(&ex->list, dest); + } +} + /* * called under devcgroup_mutex */ @@ -604,11 +615,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, int count, rc = 0; struct dev_exception_item ex; struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); + struct dev_cgroup tmp_devcgrp; if (!capable(CAP_SYS_ADMIN)) return -EPERM; memset(&ex, 0, sizeof(ex)); + memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp)); b = buffer; switch (*b) { @@ -620,15 +633,27 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, if (!may_allow_all(parent)) return -EPERM; - dev_exception_clean(devcgroup); - devcgroup->behavior = DEVCG_DEFAULT_ALLOW; - if (!parent) + if (!parent) { + devcgroup->behavior = DEVCG_DEFAULT_ALLOW; + dev_exception_clean(devcgroup); break; + } + INIT_LIST_HEAD(&tmp_devcgrp.exceptions); + rc = dev_exceptions_copy(&tmp_devcgrp.exceptions, + &devcgroup->exceptions); + if (rc) + return rc; + dev_exception_clean(devcgroup); rc = dev_exceptions_copy(&devcgroup->exceptions, &parent->exceptions); - if (rc) + if (rc) { + dev_exceptions_move(&devcgroup->exceptions, + &tmp_devcgrp.exceptions); return rc; + } + devcgroup->behavior = DEVCG_DEFAULT_ALLOW; + dev_exception_clean(&tmp_devcgrp); break; case DEVCG_DENY: if (css_has_online_children(&devcgroup->css))