device_cgroup: fix unchecked cgroup parent usage [Linux 3.7]

This Linux kernel change "device_cgroup: fix unchecked cgroup parent usage" is included in the Linux 3.7 release. This change is authored by Aristeu Rozanski <aris [at] redhat.com> on Tue Nov 6 07:25:04 2012 -0800. The commit for this change in Linux stable tree is 64e1047 (patch).

device_cgroup: fix unchecked cgroup parent usage

In 4cef7299b478687 ("device_cgroup: add proper checking when changing
default behavior") the cgroup parent usage is unchecked.  root will not
have a parent and trying to use device.{allow,deny} will cause problems.
For some reason my stressing scripts didn't test the root directory so I
didn't catch it on my regular tests.

Signed-off-by: Aristeu Rozanski <aris@redhat.com>
Cc: Li Zefan <lizefan@huawei.com>
Cc: James Morris <jmorris@namei.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Tejun Heo <tj@kernel.org>

There are 12 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 security/device_cgroup.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 842c254..96d87ea 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -352,6 +352,8 @@ static int parent_has_perm(struct dev_cgroup *childcg,
  */
 static inline int may_allow_all(struct dev_cgroup *parent)
 {
+   if (!parent)
+       return 1;
    return parent->behavior == DEVCG_DEFAULT_ALLOW;
 }

@@ -376,11 +378,14 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
    int count, rc;
    struct dev_exception_item ex;
    struct cgroup *p = devcgroup->css.cgroup;
-   struct dev_cgroup *parent = cgroup_to_devcgroup(p->parent);
+   struct dev_cgroup *parent = NULL;

    if (!capable(CAP_SYS_ADMIN))
        return -EPERM;

+   if (p->parent)
+       parent = cgroup_to_devcgroup(p->parent);
+
    memset(&ex, 0, sizeof(ex));
    b = buffer;

@@ -391,11 +396,14 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
            if (!may_allow_all(parent))
                return -EPERM;
            dev_exception_clean(devcgroup);
+           devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
+           if (!parent)
+               break;
+
            rc = dev_exceptions_copy(&devcgroup->exceptions,
                         &parent->exceptions);
            if (rc)
                return rc;
-           devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
            break;
        case DEVCG_DENY:
            dev_exception_clean(devcgroup);

Leave a Reply

Your email address will not be published. Required fields are marked *