[PATCH v2 3/4] device_cgroup: Export devcgroup_check_permission
Kasiviswanathan, Harish
Harish.Kasiviswanathan at amd.com
Mon Sep 16 18:05:56 UTC 2019
For AMD compute (amdkfd) driver.
All AMD compute devices are exported via single device node /dev/kfd. As
a result devices cannot be controlled individually using device cgroup.
AMD compute devices will rely on its graphics counterpart that exposes
/dev/dri/renderN node for each device. For each task (based on its
cgroup), KFD driver will check if /dev/dri/renderN node is accessible
before exposing it.
Change-Id: I9ae283df550b2c122d67870b0cfa316bfbf3b614
Acked-by: Felix Kuehling <Felix.Kuehling at amd.com>
Acked-by: Tejun Heo <tj at kernel.org>
Acked-by: Roman Gushchin <guro at fb.com>
Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan at amd.com>
---
include/linux/device_cgroup.h | 19 ++++---------------
security/device_cgroup.c | 15 +++++++++++++--
2 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
index 8557efe096dc..fa35b52e0002 100644
--- a/include/linux/device_cgroup.h
+++ b/include/linux/device_cgroup.h
@@ -12,26 +12,15 @@
#define DEVCG_DEV_ALL 4 /* this represents all devices */
#ifdef CONFIG_CGROUP_DEVICE
-extern int __devcgroup_check_permission(short type, u32 major, u32 minor,
- short access);
+int devcgroup_check_permission(short type, u32 major, u32 minor,
+ short access);
#else
-static inline int __devcgroup_check_permission(short type, u32 major, u32 minor,
- short access)
+static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
+ short access)
{ return 0; }
#endif
#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
-static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
- short access)
-{
- int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
-
- if (rc)
- return -EPERM;
-
- return __devcgroup_check_permission(type, major, minor, access);
-}
-
static inline int devcgroup_inode_permission(struct inode *inode, int mask)
{
short type, access = 0;
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index dc28914fa72e..04dd29bf7f06 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -801,8 +801,8 @@ struct cgroup_subsys devices_cgrp_subsys = {
*
* returns 0 on success, -EPERM case the operation is not permitted
*/
-int __devcgroup_check_permission(short type, u32 major, u32 minor,
- short access)
+static int __devcgroup_check_permission(short type, u32 major, u32 minor,
+ short access)
{
struct dev_cgroup *dev_cgroup;
bool rc;
@@ -824,3 +824,14 @@ int __devcgroup_check_permission(short type, u32 major, u32 minor,
return 0;
}
+
+int devcgroup_check_permission(short type, u32 major, u32 minor, short access)
+{
+ int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
+
+ if (rc)
+ return -EPERM;
+
+ return __devcgroup_check_permission(type, major, minor, access);
+}
+EXPORT_SYMBOL(devcgroup_check_permission);
--
2.17.1
More information about the amd-gfx
mailing list