Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1988003imm; Tue, 22 May 2018 12:42:58 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq3zJWgLrcG5SPsThO37d+9oEiQBXVd7fwll0aHoLhDQyfE7rD+3A1388a63HYMnmEahcgL X-Received: by 2002:a65:578b:: with SMTP id b11-v6mr6899800pgr.57.1527018178007; Tue, 22 May 2018 12:42:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527018177; cv=none; d=google.com; s=arc-20160816; b=o2CbzDj59MAKT+Y274ibIJ3jT0R5f3ccbiEltHqJ8Rb/0OkzgYIkncW0BQ2tmtGLwd 3fMrarPbRXfHsLadnsoup7QrObh2iEiWe/Y4NEFv+SnP2nQevGNpCaLatVqbv4JZp9f+ 7uN6dxFpLEeJD0hfpMVjhbk4FenT6X9cPgnvFFpLktjgemiN8yCa1il4ncxA6WyWw1+J ekcfLcjPoq2ihh0G75qey9RoEtnKmfPYV7TaGtdas6apWWiZdluL2A9jNQaRZxiLHKyb qO0MFoBJ1Xjh2Gd4ZPi3lgVTGjkRDZqID/z9j3xpKa2IbUprWvAcEjcA+BlI62Mszqj6 Nq/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=mbGGIZ5Ma/OW7cAbGMP2TpHwGyS6PxE+g0DvMD3qMkk=; b=dvy3bGKwcgm4B9XiKtIFrOpIK6ijhKZC0vX6WdgC/wCDCXUiYbvtBitgAJErFERh4I GSGl4OkO/4dZuWy3iLPvM6OMmXIrBrHtJ/NSfuK/dyFE01Xy6lPoGuMKlYQVjUzf820d B/ai3uJbLyxM/gjjM7syXjn8v4csxDOnNirDo/GGc/z/N61lmPaPhzAkIbroCUCfY8UB qZ1pAMGG05C7fR27JGsVzEnbmgPWylT4iZN7a934wUbL5sX8dd3kcKlbAT3GCrpAyB9L Q1Rx6pw0E/gjqowc11snV69bI1nk0XGOmsAl8N3vJhEA3mtIkHD5nKFs7iM1zUMXiZkq q1ZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a64-v6si17260659pla.530.2018.05.22.12.42.32; Tue, 22 May 2018 12:42:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753049AbeEVTkA (ORCPT + 99 others); Tue, 22 May 2018 15:40:00 -0400 Received: from mga07.intel.com ([134.134.136.100]:16706 "EHLO mga07.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752276AbeEVTcC (ORCPT ); Tue, 22 May 2018 15:32:02 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 May 2018 12:32:00 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,430,1520924400"; d="scan'208";a="226406386" Received: from rchatre-s.jf.intel.com ([10.54.70.76]) by orsmga005.jf.intel.com with ESMTP; 22 May 2018 12:32:00 -0700 From: Reinette Chatre To: tglx@linutronix.de, fenghua.yu@intel.com, tony.luck@intel.com, vikas.shivappa@linux.intel.com Cc: gavin.hindman@intel.com, jithu.joseph@intel.com, dave.hansen@intel.com, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org, Reinette Chatre Subject: [PATCH V4 17/38] x86/intel_rdt: Respect read and write access Date: Tue, 22 May 2018 04:29:05 -0700 Message-Id: X-Mailer: git-send-email 2.13.6 In-Reply-To: References: In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org By default, if the opener has CAP_DAC_OVERRIDE, a kernfs file can be opened regardless of RW permissions. Writing to a kernfs file will thus succeed even if permissions are 0000. We would like to restrict the actions that can be performed on a resource group from userspace based on the mode of the resource group. This restriction will be done through a modification of the file permissions. That is, for example, if a resource group is locked then the user cannot add tasks to the resource group. For this restriction through file permissions to work we have to ensure that the permissions are always respected. To do so the resctrl filesystem is created with the KERNFS_ROOT_EXTRA_OPEN_PERM_CHECK flag that will result in open(2) failing with -EACCESS regardless of CAP_DAC_OVERRIDE if the permission does not have the respective read or write access. Signed-off-by: Reinette Chatre --- arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c index e6069822f592..7d623d940e49 100644 --- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c +++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c @@ -2491,7 +2491,8 @@ static int __init rdtgroup_setup_root(void) int ret; rdt_root = kernfs_create_root(&rdtgroup_kf_syscall_ops, - KERNFS_ROOT_CREATE_DEACTIVATED, + KERNFS_ROOT_CREATE_DEACTIVATED | + KERNFS_ROOT_EXTRA_OPEN_PERM_CHECK, &rdtgroup_default); if (IS_ERR(rdt_root)) return PTR_ERR(rdt_root); -- 2.13.6