[Intel-gfx] [PATCH v3 3/6] cgroup: Introduce cgroup_permission()
Matt Roper
matthew.d.roper at intel.com
Tue Mar 6 23:46:57 UTC 2018
Non-controller kernel subsystems may base access restrictions for
cgroup-related syscalls/ioctls on a process' access to the cgroup.
Let's make it easy for other parts of the kernel to check these cgroup
permissions.
Cc: Tejun Heo <tj at kernel.org>
Cc: cgroups at vger.kernel.org
Signed-off-by: Matt Roper <matthew.d.roper at intel.com>
---
include/linux/cgroup.h | 1 +
kernel/cgroup/cgroup.c | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index b1ea2064f247..dd1d1d9813e8 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -100,6 +100,7 @@ struct cgroup_subsys_state *css_tryget_online_from_dir(struct dentry *dentry,
struct cgroup *cgroup_get_from_path(const char *path);
struct cgroup *cgroup_get_from_fd(int fd);
+int cgroup_permission(int fd, int mask);
int cgroup_attach_task_all(struct task_struct *from, struct task_struct *);
int cgroup_transfer_tasks(struct cgroup *to, struct cgroup *from);
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 9e576dc8b566..52d68b226867 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5781,6 +5781,48 @@ struct cgroup *cgroup_get_from_fd(int fd)
}
EXPORT_SYMBOL_GPL(cgroup_get_from_fd);
+/**
+ * cgroup_permission - check cgroup fd permissions
+ * @fd: fd obtained by open(cgroup)
+ * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
+ *
+ * Check for read/write/execute permissions on a cgroup.
+ */
+int cgroup_permission(int fd, int mask)
+{
+ struct file *f;
+ struct inode *inode;
+ struct cgroup_subsys_state *css;
+ int ret;
+
+ f = fget_raw(fd);
+ if (!f)
+ return -EBADF;
+
+ css = css_tryget_online_from_dir(f->f_path.dentry, NULL);
+ if (IS_ERR(css)) {
+ ret = PTR_ERR(css);
+ goto out_file;
+ }
+
+ inode = kernfs_get_inode(f->f_path.dentry->d_sb, css->cgroup->kn);
+ if (!inode) {
+ ret = -ENOMEM;
+ goto out_cgroup;
+ }
+
+ ret = inode_permission(inode, mask);
+ iput(inode);
+
+out_cgroup:
+ cgroup_put(css->cgroup);
+out_file:
+ fput(f);
+
+ return ret;
+}
+EXPORT_SYMBOL_GPL(cgroup_permission);
+
/*
* sock->sk_cgrp_data handling. For more info, see sock_cgroup_data
* definition in cgroup-defs.h.
--
2.14.3
More information about the Intel-gfx
mailing list