Re: [PATCH] device_cgroup: fix unchecked cgroup parent usage

Wed, 31 Oct 2012 10:21:57 -0700 

Quoting Aristeu Rozanski (a...@redhat.com):
> In 4cef7299b4786879a3e113e84084a72b24590c5b the cgroup parent usage is
> unchecked. root will not have a parent and trying to use
> device.{allow,deny} will cause problems. For some reason my stressing
> scripts didn't test the root directory so I didn't catch it on my
> regular tests.
> 
> Andrew, Tejun, this patch needs to make Linus tree ASAP or a revert for
> 4cef7299b4786879a3e113e84084a72b24590c5b.
> 
> Cc: Andrew Morton <a...@linux-foundation.org>
> Cc: Tejun Heo <t...@kernel.org>
> Cc: Li Zefan <lize...@huawei.com>
> Cc: James Morris <jmor...@namei.org>
> Cc: Pavel Emelyanov <xe...@openvz.org>
> Cc: Serge Hallyn <serge.hal...@canonical.com>

Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com>

> Cc: Jiri Slaby <jsl...@suse.cz>
> Signed-off-by: Aristeu Rozanski <a...@redhat.com>
> 
> --- github.orig/security/device_cgroup.c      2012-10-26 17:18:01.739366780 
> -0400
> +++ github/security/device_cgroup.c   2012-10-29 10:03:33.221918003 -0400
> @@ -352,6 +352,8 @@
>   */
>  static inline int may_allow_all(struct dev_cgroup *parent)
>  {
> +     if (!parent)
> +             return 1;
>       return parent->behavior == DEVCG_DEFAULT_ALLOW;
>  }
>  
> @@ -376,11 +378,14 @@
>       int count, rc;
>       struct dev_exception_item ex;
>       struct cgroup *p = devcgroup->css.cgroup;
> -     struct dev_cgroup *parent = cgroup_to_devcgroup(p->parent);
> +     struct dev_cgroup *parent = NULL;
>  
>       if (!capable(CAP_SYS_ADMIN))
>               return -EPERM;
>  
> +     if (p->parent)
> +             parent = cgroup_to_devcgroup(p->parent);
> +
>       memset(&ex, 0, sizeof(ex));
>       b = buffer;
>  
> @@ -391,11 +396,14 @@
>                       if (!may_allow_all(parent))
>                               return -EPERM;
>                       dev_exception_clean(devcgroup);
> +                     devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
> +                     if (!parent)
> +                             break;
> +
>                       rc = dev_exceptions_copy(&devcgroup->exceptions,
>                                                &parent->exceptions);
>                       if (rc)
>                               return rc;
> -                     devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
>                       break;
>               case DEVCG_DENY:
>                       dev_exception_clean(devcgroup);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to