[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20231018105033.13669-6-michael.weiss@aisec.fraunhofer.de>
Date: Wed, 18 Oct 2023 12:50:24 +0200
From: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
To: Alexander Mikhalitsyn <alexander@...alicyn.com>,
Christian Brauner <brauner@...nel.org>,
Alexei Starovoitov <ast@...nel.org>,
Paul Moore <paul@...l-moore.com>
Cc: Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>,
Song Liu <song@...nel.org>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...gle.com>,
Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>,
Quentin Monnet <quentin@...valent.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Miklos Szeredi <miklos@...redi.hu>,
Amir Goldstein <amir73il@...il.com>,
"Serge E. Hallyn" <serge@...lyn.com>, bpf@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
gyroidos@...ec.fraunhofer.de,
Michael Weiß <michael.weiss@...ec.fraunhofer.de>
Subject: [RFC PATCH v2 05/14] device_cgroup: Implement dev_permission() hook
Wrap devcgroup_check_permission() by implementing the new security
hook dev_permission().
Signed-off-by: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
---
security/device_cgroup/lsm.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/security/device_cgroup/lsm.c b/security/device_cgroup/lsm.c
index ef30cff1f610..987d2c20a577 100644
--- a/security/device_cgroup/lsm.c
+++ b/security/device_cgroup/lsm.c
@@ -14,29 +14,32 @@
#include <linux/device_cgroup.h>
#include <linux/lsm_hooks.h>
-static int devcg_inode_permission(struct inode *inode, int mask)
+static int devcg_dev_permission(umode_t mode, dev_t dev, int mask)
{
short type, access = 0;
- if (likely(!inode->i_rdev))
- return 0;
-
- if (S_ISBLK(inode->i_mode))
+ if (S_ISBLK(mode))
type = DEVCG_DEV_BLOCK;
- else if (S_ISCHR(inode->i_mode))
- type = DEVCG_DEV_CHAR;
else
- return 0;
+ type = DEVCG_DEV_CHAR;
if (mask & MAY_WRITE)
access |= DEVCG_ACC_WRITE;
if (mask & MAY_READ)
access |= DEVCG_ACC_READ;
- return devcgroup_check_permission(type, imajor(inode), iminor(inode),
+ return devcgroup_check_permission(type, MAJOR(dev), MINOR(dev),
access);
}
+static int devcg_inode_permission(struct inode *inode, int mask)
+{
+ if (likely(!inode->i_rdev))
+ return 0;
+
+ return devcg_dev_permission(inode->i_mode, inode->i_rdev, mask);
+}
+
static int __devcg_inode_mknod(int mode, dev_t dev, short access)
{
short type;
@@ -65,6 +68,7 @@ static int devcg_inode_mknod(struct inode *dir, struct dentry *dentry,
static struct security_hook_list devcg_hooks[] __ro_after_init = {
LSM_HOOK_INIT(inode_permission, devcg_inode_permission),
LSM_HOOK_INIT(inode_mknod, devcg_inode_mknod),
+ LSM_HOOK_INIT(dev_permission, devcg_dev_permission),
};
static int __init devcgroup_init(void)
--
2.30.2
Powered by blists - more mailing lists