Received: by 10.192.165.148 with SMTP id m20csp1032870imm; Wed, 25 Apr 2018 11:27:30 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/wkGGm4T1+PJz87k3JieMbVEEOKVQA/c67d4Z4cCav3eCQfWtdH7vTH2zEN7EkSXD01L3k X-Received: by 10.99.115.28 with SMTP id o28mr24472002pgc.238.1524680850035; Wed, 25 Apr 2018 11:27:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524680849; cv=none; d=google.com; s=arc-20160816; b=PsZQqUnRjihNIpH2E1eG7zd1FF44j3kCkefreX6WzimsqYKeEEdeqUjd2qUfJqoCYZ QG/PTKdflEPKD4GuuO/F7NntlwaND3X2pNwsZa0m1eCnexfH5K4gcusNSe0rrng6F0Sb LyHzLSvNzqkMMnn9xgyFMFqK9wSxWLcCr3/n011OTiHJo3OxFTK256YI+EwbShSQxgPJ TAoy2i1GhoeBShbICc4KNSeLql/q4H1ro0EYDHFEc1VLFwAPC+5q3+PDWTcG8h4Ynd95 5TidRWh/ZbioEIvbJpg6E7hA1wpayzhX9VEvkyjzULqSb669pn9N4wFCsm9am28pvm0K 3mfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=nQxkLWZzkSDJikZA0ShM6uf/AKJMv92407GzDrFveqY=; b=JlExNqlEwyhQ2F3TdcyANluG4gnY/iLZl57yVv0L8ae4VFu0AVxuXxrVBpDhupideq X4eYndkOBwZkdR2G8EP3MGfd8QS951K+/uZOturKDP7lWdBXnmzxHmkDXvdvNYmcHrMC k61m0xAxcQS6qrSOjzUSL3lgr5uun9CGYEOSm87CebloRzqun/hGuBs6tMzfm1V+G4St ZNXI8UKsi3t6HFGai0TG0va5s2FVa/9IVcuwR9ZYPE1r3AZKXJ+5idw9MIueUe668x5x lBj8uI6KnR3gZyGw1qbFxMFbWSIkCjAvbo2YznV9L5RX7D1yJY89iNw3IWQebCHGPV9J 2NLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k3-v6si17760947plt.233.2018.04.25.11.27.15; Wed, 25 Apr 2018 11:27:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756367AbeDYSZZ (ORCPT + 99 others); Wed, 25 Apr 2018 14:25:25 -0400 Received: from mga02.intel.com ([134.134.136.20]:41709 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932136AbeDYSMl (ORCPT ); Wed, 25 Apr 2018 14:12:41 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Apr 2018 11:12:41 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,327,1520924400"; d="scan'208";a="35243686" Received: from rchatre-s.jf.intel.com ([10.54.70.76]) by fmsmga008.fm.intel.com with ESMTP; 25 Apr 2018 11:12:40 -0700 From: Reinette Chatre To: tglx@linutronix.de, fenghua.yu@intel.com, tony.luck@intel.com, vikas.shivappa@linux.intel.com Cc: gavin.hindman@intel.com, jithu.joseph@intel.com, dave.hansen@intel.com, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org, Reinette Chatre Subject: [PATCH V3 17/39] x86/intel_rdt: Respect read and write access Date: Wed, 25 Apr 2018 03:09:53 -0700 Message-Id: <45ac48e7b8eab515586bc6906cb66eb8336eb1bc.1524649902.git.reinette.chatre@intel.com> X-Mailer: git-send-email 2.13.6 In-Reply-To: References: In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org By default, if the opener has CAP_DAC_OVERRIDE, a kernfs file can be opened regardless of RW permissions. Writing to a kernfs file will thus succeed even if permissions are 0000. We would like to restrict the actions that can be performed on a resource group from userspace based on the mode of the resource group. This restriction will be done through a modification of the file permissions. That is, for example, if a resource group is locked then the user cannot add tasks to the resource group. For this restriction through file permissions to work we have to ensure that the permissions are always respected. To do so the resctrl filesystem is created with the KERNFS_ROOT_EXTRA_OPEN_PERM_CHECK flag that will result in open(2) failing with -EACCESS regardless of CAP_DAC_OVERRIDE if the permission does not have the respective read or write access. Signed-off-by: Reinette Chatre --- arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c index 595a40ec69d2..541103a2dea0 100644 --- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c +++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c @@ -2457,7 +2457,8 @@ static int __init rdtgroup_setup_root(void) int ret; rdt_root = kernfs_create_root(&rdtgroup_kf_syscall_ops, - KERNFS_ROOT_CREATE_DEACTIVATED, + KERNFS_ROOT_CREATE_DEACTIVATED | + KERNFS_ROOT_EXTRA_OPEN_PERM_CHECK, &rdtgroup_default); if (IS_ERR(rdt_root)) return PTR_ERR(rdt_root); -- 2.13.6