Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3807002imm; Tue, 29 May 2018 14:10:40 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJxUBwQ8CLshEPIJQWcK7hmseLZs57zpUMYNG3+W3oWH4k/Exb6Wxrgzjcoiau9pJK+Tfm0 X-Received: by 2002:a62:a21e:: with SMTP id m30-v6mr15513pff.251.1527628240117; Tue, 29 May 2018 14:10:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527628240; cv=none; d=google.com; s=arc-20160816; b=raLyFtiqqRoxp4yr2BkbbP4wRtMpOQTjCjtzowC4vkOj3HjrPcOLVbS89Z8LW5bQkS MLj5YXq4TZx9wuvKtQ/O5rxWUqf0psquHkkbqtAO0CSe/EFE0uQCCkANd995xZ2EYIXp IZ4csPHjmHUl218obLcSiZ0qyhvpKX74zIuilb++UyWqkctFOjARvdwQQ2RAi3baExmw xjFV3TMqMB9CYRyJmMhdo2Kt1RnbjEPLcaqkMBRQ3Or7MEdM7Nif3GHuxj5V4s3JDX9A xqsemA89omREYtg6Y0juM76NA5S53TT0VsYYDf/xoVJlgeH77Fk8iezbyTQDxNrosHNJ 0lYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=DUq43G0bwkHxEtpURmkCHLUArtZBzu7osAhnkuW6NbQ=; b=NZN7QWLzRrKBFAQD3v5t/RsQsQmzsObVJK8m7bWMKtJm5p4IV2zNusKx9ugze9wiEc tx+/GdL/OY31zVDH5TVBBqPEHkE2FGknr/OeCeALoleLQ1U9g+3+4qDjXK1N5/q9zyAG 2a2MokZxUl1DDeE52hlMRUfy1vrFMvwZxwxt999fUfRQBEiw+AhgjHBmfTDGUnBbHDA1 75tu0tGIy1dSels9hL/IlQspFJISeHCIKxDB8GbTQ0N16Iv+9YFZV2InhfAJFdhS4Vyn FSHajrrI4d4bcE8oUv16FiHtA6LxqNp9NgaHl+MOvwxhLMTcMcDKGNCcj9m04WBkHhvB TsJg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a16-v6si10555170pfk.350.2018.05.29.14.10.26; Tue, 29 May 2018 14:10:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966689AbeE2VIS (ORCPT + 99 others); Tue, 29 May 2018 17:08:18 -0400 Received: from mga14.intel.com ([192.55.52.115]:46446 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S937062AbeE2VA5 (ORCPT ); Tue, 29 May 2018 17:00:57 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 May 2018 14:00:55 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,457,1520924400"; d="scan'208";a="60127718" Received: from rchatre-s.jf.intel.com ([10.54.70.76]) by orsmga001.jf.intel.com with ESMTP; 29 May 2018 14:00:54 -0700 From: Reinette Chatre To: tglx@linutronix.de, fenghua.yu@intel.com, tony.luck@intel.com, vikas.shivappa@linux.intel.com Cc: gavin.hindman@intel.com, jithu.joseph@intel.com, dave.hansen@intel.com, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org, Reinette Chatre Subject: [PATCH V5 17/38] x86/intel_rdt: Respect read and write access Date: Tue, 29 May 2018 05:57:42 -0700 Message-Id: X-Mailer: git-send-email 2.13.6 In-Reply-To: References: In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org By default, if the opener has CAP_DAC_OVERRIDE, a kernfs file can be opened regardless of RW permissions. Writing to a kernfs file will thus succeed even if permissions are 0000. We would like to restrict the actions that can be performed on a resource group from userspace based on the mode of the resource group. This restriction will be done through a modification of the file permissions. That is, for example, if a resource group is locked then the user cannot add tasks to the resource group. For this restriction through file permissions to work we have to ensure that the permissions are always respected. To do so the resctrl filesystem is created with the KERNFS_ROOT_EXTRA_OPEN_PERM_CHECK flag that will result in open(2) failing with -EACCESS regardless of CAP_DAC_OVERRIDE if the permission does not have the respective read or write access. Signed-off-by: Reinette Chatre --- arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c index 7ff5f4be2e16..83379982f26a 100644 --- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c +++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c @@ -2491,7 +2491,8 @@ static int __init rdtgroup_setup_root(void) int ret; rdt_root = kernfs_create_root(&rdtgroup_kf_syscall_ops, - KERNFS_ROOT_CREATE_DEACTIVATED, + KERNFS_ROOT_CREATE_DEACTIVATED | + KERNFS_ROOT_EXTRA_OPEN_PERM_CHECK, &rdtgroup_default); if (IS_ERR(rdt_root)) return PTR_ERR(rdt_root); -- 2.13.6