# cat devices.list
c 1:3 r
# echo 'c 1:3 w' > sub/devices.allow
# cat sub/devices.list
c 1:3 w
As illustrated, the parent group has no write permission to /dev/null,
so its child should not be allowed to add this write permission,
which is documented in Documentation/controllers/devices.txt.
Signed-off-by: Li Zefan <[email protected]>
---
security/device_cgroup.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 1e2e28a..ddd92ce 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -300,7 +300,7 @@ static int may_access_whitelist(struct dev_cgroup *c,
continue;
if (whitem->minor != ~0 && whitem->minor != refwh->minor)
continue;
- if (refwh->access & (~(whitem->access | ACC_MASK)))
+ if (refwh->access & (~whitem->access))
continue;
return 1;
}
--
1.5.4.rc3
Quoting Li Zefan ([email protected]):
> # cat devices.list
> c 1:3 r
> # echo 'c 1:3 w' > sub/devices.allow
> # cat sub/devices.list
> c 1:3 w
>
> As illustrated, the parent group has no write permission to /dev/null,
> so its child should not be allowed to add this write permission,
> which is documented in Documentation/controllers/devices.txt.
>
> Signed-off-by: Li Zefan <[email protected]>
I have no idea where that came from (but see that it was in my original
submission). Maybe I meant to do &, but that still isn't necessary.
Acked-by: Serge Hallyn <[email protected]>
thanks,
-serge
> ---
> security/device_cgroup.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 1e2e28a..ddd92ce 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -300,7 +300,7 @@ static int may_access_whitelist(struct dev_cgroup *c,
> continue;
> if (whitem->minor != ~0 && whitem->minor != refwh->minor)
> continue;
> - if (refwh->access & (~(whitem->access | ACC_MASK)))
> + if (refwh->access & (~whitem->access))
> continue;
> return 1;
> }
> --
> 1.5.4.rc3