From: "Michael Weiß" <michael.weiss@aisec.fraunhofer.de>
To: Alexander Mikhalitsyn <alexander@mihalicyn.com>,
Christian Brauner <brauner@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Paul Moore <paul@paul-moore.com>
Cc: "Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"Song Liu" <song@kernel.org>, "Yonghong Song" <yhs@fb.com>,
"John Fastabend" <john.fastabend@gmail.com>,
"KP Singh" <kpsingh@kernel.org>,
"Stanislav Fomichev" <sdf@google.com>,
"Hao Luo" <haoluo@google.com>, "Jiri Olsa" <jolsa@kernel.org>,
"Quentin Monnet" <quentin@isovalent.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Miklos Szeredi" <miklos@szeredi.hu>,
"Amir Goldstein" <amir73il@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, gyroidos@aisec.fraunhofer.de,
"Michael Weiß" <michael.weiss@aisec.fraunhofer.de>
Subject: [RFC PATCH v2 03/14] device_cgroup: Remove explicit devcgroup_inode hooks
Date: Wed, 18 Oct 2023 12:50:22 +0200 [thread overview]
Message-ID: <20231018105033.13669-4-michael.weiss@aisec.fraunhofer.de> (raw)
In-Reply-To: <20231018105033.13669-1-michael.weiss@aisec.fraunhofer.de>
All users (actually just fs/namei) of devcgroup_inode_mknod and
devcgroup_inode_permission are removed. Now drop the API completely.
Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
---
include/linux/device_cgroup.h | 47 -----------------------------------
1 file changed, 47 deletions(-)
diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
index d02f32b7514e..d9a62b0cff87 100644
--- a/include/linux/device_cgroup.h
+++ b/include/linux/device_cgroup.h
@@ -14,54 +14,7 @@
#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
int devcgroup_check_permission(short type, u32 major, u32 minor,
short access);
-static inline int devcgroup_inode_permission(struct inode *inode, int mask)
-{
- short type, access = 0;
-
- if (likely(!inode->i_rdev))
- return 0;
-
- if (S_ISBLK(inode->i_mode))
- type = DEVCG_DEV_BLOCK;
- else if (S_ISCHR(inode->i_mode))
- type = DEVCG_DEV_CHAR;
- else
- return 0;
-
- if (mask & MAY_WRITE)
- access |= DEVCG_ACC_WRITE;
- if (mask & MAY_READ)
- access |= DEVCG_ACC_READ;
-
- return devcgroup_check_permission(type, imajor(inode), iminor(inode),
- access);
-}
-
-static inline int devcgroup_inode_mknod(int mode, dev_t dev)
-{
- short type;
-
- if (!S_ISBLK(mode) && !S_ISCHR(mode))
- return 0;
-
- if (S_ISCHR(mode) && dev == WHITEOUT_DEV)
- return 0;
-
- if (S_ISBLK(mode))
- type = DEVCG_DEV_BLOCK;
- else
- type = DEVCG_DEV_CHAR;
-
- return devcgroup_check_permission(type, MAJOR(dev), MINOR(dev),
- DEVCG_ACC_MKNOD);
-}
-
#else
static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
short access)
-{ return 0; }
-static inline int devcgroup_inode_permission(struct inode *inode, int mask)
-{ return 0; }
-static inline int devcgroup_inode_mknod(int mode, dev_t dev)
-{ return 0; }
#endif
--
2.30.2
next prev parent reply other threads:[~2023-10-18 10:51 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-18 10:50 [RFC PATCH v2 00/14] device_cgroup: guard mknod for non-initial user namespace Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 01/14] device_cgroup: Implement devcgroup hooks as lsm security hooks Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 02/14] vfs: Remove explicit devcgroup_inode calls Michael Weiß
2023-10-18 10:50 ` Michael Weiß [this message]
2023-10-18 10:50 ` [RFC PATCH v2 04/14] lsm: Add security_dev_permission() hook Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 05/14] device_cgroup: Implement dev_permission() hook Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 06/14] block: Switch from devcgroup_check_permission to security hook Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 07/14] drm/amdkfd: " Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 08/14] device_cgroup: Hide devcgroup functionality completely in lsm Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 09/14] lsm: Add security_inode_mknod_nscap() hook Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 10/14] lsm: Add security_sb_alloc_userns() hook Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 11/14] vfs: Wire up security hooks for lsm-based device guard in userns Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 12/14] bpf: Add flag BPF_DEVCG_ACC_MKNOD_UNS for device access Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 13/14] bpf: cgroup: Introduce helper cgroup_bpf_current_enabled() Michael Weiß
2023-10-18 10:50 ` [RFC PATCH v2 14/14] device_cgroup: Allow mknod in non-initial userns if guarded Michael Weiß
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231018105033.13669-4-michael.weiss@aisec.fraunhofer.de \
--to=michael.weiss@aisec.fraunhofer.de \
--cc=alexander@mihalicyn.com \
--cc=amir73il@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=daniel@iogearbox.net \
--cc=gyroidos@aisec.fraunhofer.de \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=miklos@szeredi.hu \
--cc=paul@paul-moore.com \
--cc=quentin@isovalent.com \
--cc=sdf@google.com \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).