From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755209AbdKBRQl (ORCPT ); Thu, 2 Nov 2017 13:16:41 -0400 Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:47866 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754870AbdKBRQf (ORCPT ); Thu, 2 Nov 2017 13:16:35 -0400 From: Roman Gushchin To: CC: Tejun Heo , Alexei Starovoitov , Daniel Borkmann , , , Roman Gushchin Subject: [PATCH v3 net-next 2/5] device_cgroup: prepare code for bpf-based device controller Date: Thu, 2 Nov 2017 13:15:27 -0400 Message-ID: <20171102171530.7627-3-guro@fb.com> X-Mailer: git-send-email 2.13.6 In-Reply-To: <20171102171530.7627-1-guro@fb.com> References: <20171102171530.7627-1-guro@fb.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [2620:10d:c091:200::2:53d6] X-ClientProxiedBy: CO2PR04CA0112.namprd04.prod.outlook.com (2603:10b6:104:7::14) To BL2PR15MB1073.namprd15.prod.outlook.com (2603:10b6:201:17::7) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b99ada86-ef15-4304-3608-08d522156dfc X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603199);SRVR:BL2PR15MB1073; X-Microsoft-Exchange-Diagnostics: 1;BL2PR15MB1073;3:c/33LJgUDBbqBJx/3Fzi83mtkjEkbU0YFz/pnxft5coqtwVVD3bx9TQboH4pah8vFnX5m001hnW6FT234nnasjCkNrGniK6ywLXrvMsbUUT1G2hstcdA6w8mSfqFl2fGCRSwElgCiX1Cy9L1zk0HjgYHL6AAp37hK7ry0lGsrTTTjjOAZMrFJFFa9DUnJTdcFZdZ8RnVs5xXSsnwWokzK5xvMZwwm4n5YHAav9Z6eKnrTEmBEtQih4RtZsS/gBTl;25:3xVY04xV5QZqxiPiCFzCmAoIJqBl3upDfXWn//IYNaZ6KrRPtaugiQtcNuiv5/U5UHxdmm2ZOiG5FE+00cnNNwsPFeCnDm2K9VyP410ANXSgbn6cRXHZXB1q3cmrvgfdUiPiexE6lMbX4sJUpoY8A6rV+cyQknokIheWNiv/QaZFNOWx9+Ew9Sis5jr+C3CWbNIcERRMgOON453FqIawYdu+YznhJofXLZDMDuFRq4qjXVph0yfy9J719BShnpA9MVTcIrP/DJoL7zh3PguIVJFSDiSaT6TiYfpbG/UhRre6bgRj8UU6tztFYR39K/FHwWesVkFP41BxvnZwJbxZxg==;31:9jwaHeb6HKLI+qzOCKNnygOYivRF7rSN9vQQHoOUhoHmqb8UC2T0amcqWv2jilNFfAL6xTvnRtZhmcwjlgqAjw6tc3N+wAlB7cM61AAM527PfDHiKVnRQst/Bza3U+5aMMH07U/IJXOX4eWePv7fCXk6amFG6MfEFY9K/6z8hcF59sHFdmn7j8PTVWyFPSYPuOd6F8JSORJEWo1qq/ltiprXMpriqniiSNBGe9DEdZ0= X-MS-TrafficTypeDiagnostic: BL2PR15MB1073: X-Microsoft-Exchange-Diagnostics: 1;BL2PR15MB1073;20:TfhKdSN3XKnwntWI+b8wfNyiIqQCzL19VpkMgp+1i8cM+s5OLDv9UkKvFZguaqqVPN/Pz3H8LlvWFI2zbh2vsRz1akU7bQ5O47gNltYMhLRnZnNm9YholHzEnwsSsGvFEK+5ndey0S1U0JZkUFTdsI/Y6XIbzyMlYG+h237WmGodgfhHK0e0zCsCy9uIjV15LFRqB7QNB1I0R5L7pwvcpEHcM9sxNefYtzW8vNuv/HFqm2VZUxcCn6d9tfLgIKuIu4EqTVxlbXUlIArcfkLDKzIjuKOTkdYGAvodVTtii4ggMvN2eRsZobqgZ2rynXKUDHR0CcYpWGaKfMQCkeuftb4ztI/s6z1EFhwG0iwKvwKI5kYgzpGO5vgumv9+9PY+yrniduaPRAya6GbGy+mMukIORXjH4JezJoNeFDc4EX2WmVKjs44+mdqKVpmFVdmus05ZpjKQJA/V+bFmHyWZG4MwN0PgEAAAZQYq6mZUICH4pdtoSY8yL4IfFX1hXgcQ;4:grJLo6fQh2NmxZWPA5x8HsCbJxCCXVaBYKhjCRorI07fvXKq9V+4sI2DNY/A0zgV5T6OCa/ay6Ej7sB1w0vjVttkACHnt3Or8LzVlMrVJCX1wFX6YGgrYXLp7Et5c30fu1tpEaVSnxxuTS3DDUVS9t6yz2HM5M+iJhWyVlCR4kvzDUrBmO/7+tQObedEwJuF9FwNwTuo24t0RTfbk47LD0l9Jkkasux26cAnWRpkjS/jEYjzwPvu26K98pReYTPmvsJHBexKG7bbV/AEKaFj3cVL59eCjVOoY93+o/a5qSjp9uQ3nBHxAliTAv9ITeET+apCib6Z8dzqY8ryrW6rOHYuIPNC4IdALqRCoD3+iiU= X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(67672495146484); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(11241501159)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3231020)(3002001)(6041248)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(20161123562025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BL2PR15MB1073;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BL2PR15MB1073; X-Forefront-PRVS: 047999FF16 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(6009001)(376002)(346002)(199003)(189002)(50986999)(76176999)(478600001)(53416004)(33646002)(54906003)(5003940100001)(2351001)(105586002)(4326008)(2361001)(2906002)(16586007)(316002)(106356001)(305945005)(7736002)(25786009)(101416001)(50226002)(1076002)(8676002)(189998001)(36756003)(81166006)(81156014)(47776003)(69596002)(97736004)(6666003)(6116002)(6916009)(2950100002)(5660300001)(6512007)(6506006)(68736007)(53936002)(48376002)(50466002)(6486002)(8936002)(575784001)(86362001)(42262002);DIR:OUT;SFP:1102;SCL:1;SRVR:BL2PR15MB1073;H:castle.thefacebook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;BL2PR15MB1073;23:koF7+UjkK6z4wTZrCFXtZbH5P0B6KadUidfFe6gGP?= =?us-ascii?Q?L09RQIfz2X+UQSU2043LIt8k6l+jxcB5ISEWQg0pQxVh5ITBhff4rD9J5WRn?= =?us-ascii?Q?1/dulje5zBH2mjHo1EK0o7ZdSEs2INJrYWq4ZB8bSnWbc70Y6hpsNpCPsUkb?= =?us-ascii?Q?F0dnR2NdQ1nH1kE0suQ73UqauYONd4lNF8Gl3zeZkOJNFubKrz/ax3VaGTKV?= =?us-ascii?Q?6YFEIKKaDkT9rctW9iKeXR+K3ESktQm6yRAfz2hfaLG2kngicdILOZ4Yrocl?= =?us-ascii?Q?hhm0+vQNiNQ34zAY/uXzlfDI+h1SaE9TH5qrIsGxbPzG02Ci5Lecm80vd772?= =?us-ascii?Q?pB/DFMdfYu5jhE8kFV1hCNJFrCIPvFsQAdiMbU0oqGKlv2iTp2rzU4bMyBHd?= =?us-ascii?Q?aaScX8HW1wKvk9wgu7mGVwQOeb9ZO4ln129vIhEmPwjibSsu1xPh4OZtNFFE?= =?us-ascii?Q?cI7kS6q2VKzJycRBK7V46fDgRKuuDPFcdkrny+f6mYR1YODmxf/o0ycBh02x?= =?us-ascii?Q?wcIO8Lh3ChHx1v7vEkm22jHyKNByqk16h9L3v1NXj8nxQgRLutjIOGNV5asn?= =?us-ascii?Q?l867X2H5/NcWKfdgmOBQ8R6Ti09QddRLGX0S/rbRxisIa0szDW1zyAkIFrvv?= =?us-ascii?Q?VjV95tu3Fyba+e4ng/iAIC0XcNZBy9t+LcK4or1iCsxD7jER3jVtgcc0V10S?= =?us-ascii?Q?sC6v93GZmj4mNG2lFEzJs6QlIrdF/ZoqrQ5TcvwsWCkd4XvsBhok6avZDcU6?= =?us-ascii?Q?p3hLwmdP1qGgmMU5QaNwrfu3TKqC5afyHoF2obBkwjD1xL4Cah3nuKvBYAi9?= =?us-ascii?Q?JFDaj6EcZdqU5IJFxcrbnb49OYTM+/Cu865ycZ736RqZDsoaqdmoR2Wk7y62?= =?us-ascii?Q?v6RGMQkJNEpp4691Vo4sBQGpHuLDrKo+aruBg+Hl4yYSxf8q2scwjeDeC7c6?= =?us-ascii?Q?qguJzfVPF55A4T7SK8bmQZDvbe8n+/H5K2xHbipKzoaVpKNVB1We51oly8V1?= =?us-ascii?Q?o86UTa9UVa/Kq4lxJZH7ST9DkjolDI9b1icb4HqKNCP3WqiLoqLlIssDc8DP?= =?us-ascii?Q?6hzqqJMDmdi2x3rxTaGGVAe/X16N10U7CAxtE1canxNOBF0h4DcPft2aQdDK?= =?us-ascii?Q?KUHCV0jDDprL5VdaVBJmhRl5l1TkL+fH5Q/hN8AaTtD2RqG5qCSEw=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1;BL2PR15MB1073;6:J095kFq37S9rUsuh5gxP+baz3Uptq4WNsmIdTkGgEFmkJBCcVcV+iq9n7xZb0qZHfAlFtD6l8D5AV2tImmxyJeNPvW4k61lYLXKnUiA57mGcOaT/SCUB7Gjq2PdZZ5Kh1IfZLDoHiMRkF5iepOHr88uCaRv/p9rTACbwL4XfWGNW+nOccsd/BlPcTaTJ6bpvXZN2+hFM3vnNW1+ifwlFy832ZXI8gJN4NOXwsIiY92w9qXajDZFc7A9FtkLUizK3mQQ8Tlt7JgGkK/t5udut16Qm3BYFlWz/WS1b+iEA45O/jXSw/Lw7ul0x6/83lMubc0iv/Fw4yilyj8LhHU4aYKHNQdp9cB4DW6LlYaFmts8=;5:pdhE7dgqHRcaifeR+D/I4BVaJVqUwM15bdv4cVYK7y1vmSMcIK0l1QzIDYuWEQxhn8vkRkI3yGehvx9uVJ6anfvcMayqlDwYz/zhn63UFhRQRbTsCbdVS+rWmLCzxkWsZPzHGVFyVXpLwKO722a54kYocPUl6NhUAwGF/idHkUs=;24:ZEBalHv23jNt6hZN2Vj2zUPC5Q9XUutxWDknriFdOJ8etjLOb9X2QrS3pCR6a357jM+ubBQ5akDukN2Vo3SiAczWgIDfOsL6/IORU/YV/Mw=;7:w9gR23xzc05ZIid55O8Ko7PKaKacJZlRvv0iA39FA2hGay44QTo/ZeGUveDa5MsP4PRXGL8xVVMkAr5XJC/BmZ9tVsuhMUoPhYqymwiv5F1ojGOhTsxtPcn2tLUU2K4mTKmb9AB3Wqq2TWadsLK5tdThgg++MY19QrRkqISTm9VleLEMdPqVnaszSPb+s+C2ycsinMc7xmbjO3/y1OMs00i9IcEKQ9CdK4PW+29kXNt8glonIk0MlqqiRWGjUBt3 SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;BL2PR15MB1073;20:8TahmmsYIPlqTk/74q+gKvSETcgqC/eGwa2OmfPMcOpW7ly8gesfY2M7gov1DtsYuNkTTJiYgyuibzPGm17tdKBG/6kQK9v+LjgGwDRNk/c6i4anRceaIlgYLH7pSwTkGsRalXJjF1DHR2bY2MewH+lUMBIagS8cvKmZlqgIb68= X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Nov 2017 17:16:15.8633 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b99ada86-ef15-4304-3608-08d522156dfc X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR15MB1073 X-OriginatorOrg: fb.com X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-02_06:,, signatures=0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is non-functional change to prepare the device cgroup code for adding eBPF-based controller for cgroups v2. The patch performs the following changes: 1) __devcgroup_inode_permission() and devcgroup_inode_mknod() are moving to the device-cgroup.h and converting into static inline. 2) __devcgroup_check_permission() is exported. 3) devcgroup_check_permission() wrapper is introduced to be used by both existing and new bpf-based implementations. Signed-off-by: Roman Gushchin Acked-by: Tejun Heo Acked-by: Alexei Starovoitov --- include/linux/device_cgroup.h | 61 ++++++++++++++++++++++++++++++++++++++++--- security/device_cgroup.c | 47 ++------------------------------- 2 files changed, 59 insertions(+), 49 deletions(-) diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h index 8b64221b432b..1e42d33accbf 100644 --- a/include/linux/device_cgroup.h +++ b/include/linux/device_cgroup.h @@ -1,16 +1,69 @@ #include +#define DEVCG_ACC_MKNOD 1 +#define DEVCG_ACC_READ 2 +#define DEVCG_ACC_WRITE 4 +#define DEVCG_ACC_MASK (DEVCG_ACC_MKNOD | DEVCG_ACC_READ | DEVCG_ACC_WRITE) + +#define DEVCG_DEV_BLOCK 1 +#define DEVCG_DEV_CHAR 2 +#define DEVCG_DEV_ALL 4 /* this represents all devices */ + +#ifdef CONFIG_CGROUP_DEVICE +extern int __devcgroup_check_permission(short type, u32 major, u32 minor, + short access); +#else +static inline int __devcgroup_check_permission(short type, u32 major, u32 minor, + short access) +{ return 0; } +#endif + #ifdef CONFIG_CGROUP_DEVICE -extern int __devcgroup_inode_permission(struct inode *inode, int mask); -extern int devcgroup_inode_mknod(int mode, dev_t dev); +static inline int devcgroup_check_permission(short type, u32 major, u32 minor, + short access) +{ + return __devcgroup_check_permission(type, major, minor, access); +} + static inline int devcgroup_inode_permission(struct inode *inode, int mask) { + short type, access = 0; + if (likely(!inode->i_rdev)) return 0; - if (!S_ISBLK(inode->i_mode) && !S_ISCHR(inode->i_mode)) + + if (S_ISBLK(inode->i_mode)) + type = DEVCG_DEV_BLOCK; + else if (S_ISCHR(inode->i_mode)) + type = DEVCG_DEV_CHAR; + else return 0; - return __devcgroup_inode_permission(inode, mask); + + if (mask & MAY_WRITE) + access |= DEVCG_ACC_WRITE; + if (mask & MAY_READ) + access |= DEVCG_ACC_READ; + + return devcgroup_check_permission(type, imajor(inode), iminor(inode), + access); } + +static inline int devcgroup_inode_mknod(int mode, dev_t dev) +{ + short type; + + if (!S_ISBLK(mode) && !S_ISCHR(mode)) + return 0; + + if (S_ISBLK(mode)) + type = DEVCG_DEV_BLOCK; + else + type = DEVCG_DEV_CHAR; + + return devcgroup_check_permission(type, MAJOR(dev), MINOR(dev), + DEVCG_ACC_MKNOD); +} + #else static inline int devcgroup_inode_permission(struct inode *inode, int mask) { return 0; } diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 76cc0cbbb10d..c54692208dcb 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -14,15 +14,6 @@ #include #include -#define DEVCG_ACC_MKNOD 1 -#define DEVCG_ACC_READ 2 -#define DEVCG_ACC_WRITE 4 -#define DEVCG_ACC_MASK (DEVCG_ACC_MKNOD | DEVCG_ACC_READ | DEVCG_ACC_WRITE) - -#define DEVCG_DEV_BLOCK 1 -#define DEVCG_DEV_CHAR 2 -#define DEVCG_DEV_ALL 4 /* this represents all devices */ - static DEFINE_MUTEX(devcgroup_mutex); enum devcg_behavior { @@ -809,8 +800,8 @@ struct cgroup_subsys devices_cgrp_subsys = { * * returns 0 on success, -EPERM case the operation is not permitted */ -static int __devcgroup_check_permission(short type, u32 major, u32 minor, - short access) +int __devcgroup_check_permission(short type, u32 major, u32 minor, + short access) { struct dev_cgroup *dev_cgroup; bool rc; @@ -832,37 +823,3 @@ static int __devcgroup_check_permission(short type, u32 major, u32 minor, return 0; } - -int __devcgroup_inode_permission(struct inode *inode, int mask) -{ - short type, access = 0; - - if (S_ISBLK(inode->i_mode)) - type = DEVCG_DEV_BLOCK; - if (S_ISCHR(inode->i_mode)) - type = DEVCG_DEV_CHAR; - if (mask & MAY_WRITE) - access |= DEVCG_ACC_WRITE; - if (mask & MAY_READ) - access |= DEVCG_ACC_READ; - - return __devcgroup_check_permission(type, imajor(inode), iminor(inode), - access); -} - -int devcgroup_inode_mknod(int mode, dev_t dev) -{ - short type; - - if (!S_ISBLK(mode) && !S_ISCHR(mode)) - return 0; - - if (S_ISBLK(mode)) - type = DEVCG_DEV_BLOCK; - else - type = DEVCG_DEV_CHAR; - - return __devcgroup_check_permission(type, MAJOR(dev), MINOR(dev), - DEVCG_ACC_MKNOD); - -} -- 2.13.6