[PATCH v2 3/4] device_cgroup: Export devcgroup_check_permission
Roman Gushchin
guro at fb.com
Fri May 17 17:06:35 UTC 2019
On Fri, May 17, 2019 at 04:15:06PM +0000, Kasiviswanathan, Harish wrote:
> For AMD compute (amdkfd) driver.
>
> All AMD compute devices are exported via single device node /dev/kfd. As
> a result devices cannot be controlled individually using device cgroup.
>
> AMD compute devices will rely on its graphics counterpart that exposes
> /dev/dri/renderN node for each device. For each task (based on its
> cgroup), KFD driver will check if /dev/dri/renderN node is accessible
> before exposing it.
>
> Change-Id: I1b9705b2c30622a27655f4f878980fa138dbf373
> Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan at amd.com>
> ---
> include/linux/device_cgroup.h | 19 ++++---------------
> security/device_cgroup.c | 15 +++++++++++++--
> 2 files changed, 17 insertions(+), 17 deletions(-)
>
> diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
> index 8557efe096dc..bd19897bd582 100644
> --- a/include/linux/device_cgroup.h
> +++ b/include/linux/device_cgroup.h
> @@ -12,26 +12,15 @@
> #define DEVCG_DEV_ALL 4 /* this represents all devices */
>
> #ifdef CONFIG_CGROUP_DEVICE
> -extern int __devcgroup_check_permission(short type, u32 major, u32 minor,
> - short access);
> +extern int devcgroup_check_permission(short type, u32 major, u32 minor,
> + short access);
> #else
> -static inline int __devcgroup_check_permission(short type, u32 major, u32 minor,
> - short access)
> +static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
> + short access)
> { return 0; }
> #endif
>
> #if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
> -static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
> - short access)
> -{
> - int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
> -
> - if (rc)
> - return -EPERM;
> -
> - return __devcgroup_check_permission(type, major, minor, access);
> -}
> -
> static inline int devcgroup_inode_permission(struct inode *inode, int mask)
> {
> short type, access = 0;
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index cd97929fac66..3c57e05bf73b 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -801,8 +801,8 @@ struct cgroup_subsys devices_cgrp_subsys = {
> *
> * returns 0 on success, -EPERM case the operation is not permitted
> */
> -int __devcgroup_check_permission(short type, u32 major, u32 minor,
> - short access)
> +static int __devcgroup_check_permission(short type, u32 major, u32 minor,
> + short access)
> {
> struct dev_cgroup *dev_cgroup;
> bool rc;
> @@ -824,3 +824,14 @@ int __devcgroup_check_permission(short type, u32 major, u32 minor,
>
> return 0;
> }
> +
> +int devcgroup_check_permission(short type, u32 major, u32 minor, short access)
> +{
> + int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
> +
> + if (rc)
> + return -EPERM;
> +
> + return __devcgroup_check_permission(type, major, minor, access);
> +}
> +EXPORT_SYMBOL(devcgroup_check_permission);
Perfect, now looks good to me!
Please, feel free to use my acks for patches 3 and 4:
Acked-by: Roman Gushchin <guro at fb.com>
Thanks!
More information about the amd-gfx
mailing list