On 14/09/2016 09:24, Mickaël Salaün wrote: > Add security access check for cgroup backed FD. The "cgroup.procs" file > of the corresponding cgroup must be readable to identify the cgroup, and > writable to prove that the current process can manage this cgroup (e.g. > through delegation). This is similar to the check done by > cgroup_procs_write_permission(). > > Signed-off-by: Mickaël Salaün > Cc: Alexei Starovoitov > Cc: Andy Lutomirski > Cc: Daniel Borkmann > Cc: Daniel Mack > Cc: David S. Miller > Cc: Kees Cook > Cc: Tejun Heo > --- > include/linux/cgroup.h | 2 +- > kernel/bpf/arraymap.c | 2 +- > kernel/bpf/syscall.c | 6 +++--- > kernel/cgroup.c | 16 +++++++++++++++- > 4 files changed, 20 insertions(+), 6 deletions(-) ... > diff --git a/kernel/cgroup.c b/kernel/cgroup.c > index 48b650a640a9..3bbaf3f02ed2 100644 > --- a/kernel/cgroup.c > +++ b/kernel/cgroup.c > @@ -6241,17 +6241,20 @@ EXPORT_SYMBOL_GPL(cgroup_get_from_path); > /** > * cgroup_get_from_fd - get a cgroup pointer from a fd > * @fd: fd obtained by open(cgroup2_dir) > + * @access_mask: contains the permission mask > * > * Find the cgroup from a fd which should be obtained > * by opening a cgroup directory. Returns a pointer to the > * cgroup on success. ERR_PTR is returned if the cgroup > * cannot be found. > */ > -struct cgroup *cgroup_get_from_fd(int fd) > +struct cgroup *cgroup_get_from_fd(int fd, int access_mask) > { > struct cgroup_subsys_state *css; > struct cgroup *cgrp; > struct file *f; > + struct inode *inode; > + int ret; > > f = fget_raw(fd); > if (!f) > @@ -6268,6 +6271,17 @@ struct cgroup *cgroup_get_from_fd(int fd) > return ERR_PTR(-EBADF); > } > > + ret = -ENOMEM; > + inode = kernfs_get_inode(f->f_path.dentry->d_sb, cgrp->procs_file.kn); I forgot to properly move fput(f) after this line… This will be fixed.