Quoting Aristeu Rozanski (a...@redhat.com): > On Thu, Nov 29, 2012 at 07:29:45PM +0000, Serge E. Hallyn wrote: > > Quoting Aristeu Rozanski (a...@redhat.com): > > > In preparation for better hierarchy support, it's needed to retain the > > > local > > > settings in order to try to reapply them after a propagated change if > > > they're > > > still valid. > > > > > > Cc: Tejun Heo <t...@kernel.org> > > > Cc: Serge Hallyn <serge.hal...@canonical.com> > > > Signed-off-by: Aristeu Rozanski <a...@redhat.com> > > > > > > --- > > > security/device_cgroup.c | 108 > > > ++++++++++++++++++++++++++++++++++------------- > > > 1 file changed, 80 insertions(+), 28 deletions(-) > > > > Hi, > > > > thanks for doing this. I've got one concern though. I don't see > > any place where devcgroup_create() was updated to create the > > local exceptions list. I think we need a guarantee that at > > the local exceptions list is part of the dev_cgroup structure and it's > initialized on the patch 'device_cgroup: keep track of local group > setting': > > @@ -190,6 +238,8 @@ > if (!dev_cgroup) > return ERR_PTR(-ENOMEM); > INIT_LIST_HEAD(&dev_cgroup->exceptions); > + INIT_LIST_HEAD(&dev_cgroup->local.exceptions); > + dev_cgroup->local.behavior = DEVCG_DEFAULT_NONE; > parent_cgroup = cgroup->parent; > > if (parent_cgroup == NULL) > > > any time the local exceptions list will contain all the entries > > contained in the cgroup->exceptions list. Otherwise you cannot > > hm, no. the local exceptions are meant to be used for stuff written > locally. the devcgroup->exceptions list is the list in effect. > > > use the exception_add() the way you do (or you can't use RCU), > > since there could be a window between the successful addition > > of a rule to cgroup->local.exceptions and the failed addition to > > cgroup->exceptions, during which a task (since it won't need > > the mutex for devcg_allow()) could exceed allowed permissions. > > > > It's possible I'm misunderstanding. If you think that's the case > > just kick me and I'll take a fresh look. > > I see your point. it's indeed a problem. in dev_exception_add(), it > needs to check for permissions before actually adding to > devcgroup->exceptions. > > > (Btw is there a git tree or gitweb view I could look at alongside > > the patchset?) > > I'll rebase the patchset along with a fix for this and resubmit with a > link to the git repo.
Thanks, Aristeu! -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
