device_cgroup: remove can_attach [Linux 3.13]

This Linux kernel change "device_cgroup: remove can_attach" is included in the Linux 3.13 release. This change is authored by Serge Hallyn <serge.hallyn [at] ubuntu.com> on Wed Oct 23 01:34:00 2013 +0200. The commit for this change in Linux stable tree is 73ba353 (patch).

device_cgroup: remove can_attach

It is really only wanting to duplicate a check which is already done by the
cgroup subsystem.

With this patch, user jdoe still cannot move pid 1 into a devices cgroup
he owns, but now he can move his own other tasks into devices cgroups.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Aristeu Rozanski <aris@redhat.com>

There are 11 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 security/device_cgroup.c | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index c123628..7c2a0a7 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -63,16 +63,6 @@ static inline struct dev_cgroup *task_devcgroup(struct task_struct *task)

 struct cgroup_subsys devices_subsys;

-static int devcgroup_can_attach(struct cgroup_subsys_state *new_css,
-               struct cgroup_taskset *set)
-{
-   struct task_struct *task = cgroup_taskset_first(set);
-
-   if (current != task && !capable(CAP_SYS_ADMIN))
-       return -EPERM;
-   return 0;
-}
-
 /*
  * called under devcgroup_mutex
  */
@@ -697,7 +687,6 @@ static int devcgroup_access_write(struct cgroup_subsys_state *css,

 struct cgroup_subsys devices_subsys = {
    .name = "devices",
-   .can_attach = devcgroup_can_attach,
    .css_alloc = devcgroup_css_alloc,
    .css_free = devcgroup_css_free,
    .css_online = devcgroup_online,

Leave a Reply

Your email address will not be published. Required fields are marked *