Rename device type and access type constants defined in
security/device_cgroup.c by adding the DEVCG_ prefix.
The reason behind this renaming is to make them global namespace
friendly, as they will be moved to the corresponding header file
by following patches.
Signed-off-by: Roman Gushchin <guro@fb.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Tejun Heo <tj@kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
#include <linux/rcupdate.h>
#include <linux/mutex.h>
#include <linux/rcupdate.h>
#include <linux/mutex.h>
-#define ACC_MKNOD 1
-#define ACC_READ 2
-#define ACC_WRITE 4
-#define ACC_MASK (ACC_MKNOD | ACC_READ | ACC_WRITE)
+#define DEVCG_ACC_MKNOD 1
+#define DEVCG_ACC_READ 2
+#define DEVCG_ACC_WRITE 4
+#define DEVCG_ACC_MASK (DEVCG_ACC_MKNOD | DEVCG_ACC_READ | DEVCG_ACC_WRITE)
-#define DEV_BLOCK 1
-#define DEV_CHAR 2
-#define DEV_ALL 4 /* this represents all devices */
+#define DEVCG_DEV_BLOCK 1
+#define DEVCG_DEV_CHAR 2
+#define DEVCG_DEV_ALL 4 /* this represents all devices */
static DEFINE_MUTEX(devcgroup_mutex);
static DEFINE_MUTEX(devcgroup_mutex);
{
int idx = 0;
memset(acc, 0, ACCLEN);
{
int idx = 0;
memset(acc, 0, ACCLEN);
+ if (access & DEVCG_ACC_READ)
- if (access & ACC_WRITE)
+ if (access & DEVCG_ACC_WRITE)
- if (access & ACC_MKNOD)
+ if (access & DEVCG_ACC_MKNOD)
acc[idx++] = 'm';
}
static char type_to_char(short type)
{
acc[idx++] = 'm';
}
static char type_to_char(short type)
{
+ if (type == DEVCG_DEV_ALL)
+ if (type == DEVCG_DEV_CHAR)
+ if (type == DEVCG_DEV_BLOCK)
return 'b';
return 'X';
}
return 'b';
return 'X';
}
* This way, the file remains as a "whitelist of devices"
*/
if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
* This way, the file remains as a "whitelist of devices"
*/
if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
- set_access(acc, ACC_MASK);
+ set_access(acc, DEVCG_ACC_MASK);
set_majmin(maj, ~0);
set_majmin(min, ~0);
set_majmin(maj, ~0);
set_majmin(min, ~0);
- seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
+ seq_printf(m, "%c %s:%s %s\n", type_to_char(DEVCG_DEV_ALL),
maj, min, acc);
} else {
list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
maj, min, acc);
} else {
list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
/**
* match_exception - iterates the exception list trying to find a complete match
* @exceptions: list of exceptions
/**
* match_exception - iterates the exception list trying to find a complete match
* @exceptions: list of exceptions
- * @type: device type (DEV_BLOCK or DEV_CHAR)
+ * @type: device type (DEVCG_DEV_BLOCK or DEVCG_DEV_CHAR)
* @major: device file major number, ~0 to match all
* @minor: device file minor number, ~0 to match all
* @major: device file major number, ~0 to match all
* @minor: device file minor number, ~0 to match all
- * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
+ * @access: permission mask (DEVCG_ACC_READ, DEVCG_ACC_WRITE, DEVCG_ACC_MKNOD)
*
* It is considered a complete match if an exception is found that will
* contain the entire range of provided parameters.
*
* It is considered a complete match if an exception is found that will
* contain the entire range of provided parameters.
struct dev_exception_item *ex;
list_for_each_entry_rcu(ex, exceptions, list) {
struct dev_exception_item *ex;
list_for_each_entry_rcu(ex, exceptions, list) {
- if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
+ if ((type & DEVCG_DEV_BLOCK) && !(ex->type & DEVCG_DEV_BLOCK))
- if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
+ if ((type & DEVCG_DEV_CHAR) && !(ex->type & DEVCG_DEV_CHAR))
continue;
if (ex->major != ~0 && ex->major != major)
continue;
continue;
if (ex->major != ~0 && ex->major != major)
continue;
/**
* match_exception_partial - iterates the exception list trying to find a partial match
* @exceptions: list of exceptions
/**
* match_exception_partial - iterates the exception list trying to find a partial match
* @exceptions: list of exceptions
- * @type: device type (DEV_BLOCK or DEV_CHAR)
+ * @type: device type (DEVCG_DEV_BLOCK or DEVCG_DEV_CHAR)
* @major: device file major number, ~0 to match all
* @minor: device file minor number, ~0 to match all
* @major: device file major number, ~0 to match all
* @minor: device file minor number, ~0 to match all
- * @access: permission mask (ACC_READ, ACC_WRITE, ACC_MKNOD)
+ * @access: permission mask (DEVCG_ACC_READ, DEVCG_ACC_WRITE, DEVCG_ACC_MKNOD)
*
* It is considered a partial match if an exception's range is found to
* contain *any* of the devices specified by provided parameters. This is
*
* It is considered a partial match if an exception's range is found to
* contain *any* of the devices specified by provided parameters. This is
struct dev_exception_item *ex;
list_for_each_entry_rcu(ex, exceptions, list) {
struct dev_exception_item *ex;
list_for_each_entry_rcu(ex, exceptions, list) {
- if ((type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
+ if ((type & DEVCG_DEV_BLOCK) && !(ex->type & DEVCG_DEV_BLOCK))
- if ((type & DEV_CHAR) && !(ex->type & DEV_CHAR))
+ if ((type & DEVCG_DEV_CHAR) && !(ex->type & DEVCG_DEV_CHAR))
continue;
/*
* We must be sure that both the exception and the provided
continue;
/*
* We must be sure that both the exception and the provided
+ ex.type = DEVCG_DEV_BLOCK;
+ ex.type = DEVCG_DEV_CHAR;
break;
default:
return -EINVAL;
break;
default:
return -EINVAL;
for (b++, count = 0; count < 3; count++, b++) {
switch (*b) {
case 'r':
for (b++, count = 0; count < 3; count++, b++) {
switch (*b) {
case 'r':
+ ex.access |= DEVCG_ACC_READ;
- ex.access |= ACC_WRITE;
+ ex.access |= DEVCG_ACC_WRITE;
- ex.access |= ACC_MKNOD;
+ ex.access |= DEVCG_ACC_MKNOD;
break;
case '\n':
case '\0':
break;
case '\n':
case '\0':
* @type: device type
* @major: device major number
* @minor: device minor number
* @type: device type
* @major: device major number
* @minor: device minor number
- * @access: combination of ACC_WRITE, ACC_READ and ACC_MKNOD
+ * @access: combination of DEVCG_ACC_WRITE, DEVCG_ACC_READ and DEVCG_ACC_MKNOD
*
* returns 0 on success, -EPERM case the operation is not permitted
*/
*
* returns 0 on success, -EPERM case the operation is not permitted
*/
short type, access = 0;
if (S_ISBLK(inode->i_mode))
short type, access = 0;
if (S_ISBLK(inode->i_mode))
+ type = DEVCG_DEV_BLOCK;
if (S_ISCHR(inode->i_mode))
if (S_ISCHR(inode->i_mode))
+ access |= DEVCG_ACC_WRITE;
+ access |= DEVCG_ACC_READ;
return __devcgroup_check_permission(type, imajor(inode), iminor(inode),
access);
return __devcgroup_check_permission(type, imajor(inode), iminor(inode),
access);
return 0;
if (S_ISBLK(mode))
return 0;
if (S_ISBLK(mode))
+ type = DEVCG_DEV_BLOCK;
return __devcgroup_check_permission(type, MAJOR(dev), MINOR(dev),
return __devcgroup_check_permission(type, MAJOR(dev), MINOR(dev),