Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3684390ybb;
        Mon, 6 Apr 2020 13:31:38 -0700 (PDT)
X-Google-Smtp-Source: APiQypIE+kBhYTzE9qBt5ADzCABB8I5Zak/GvqsGSFD6h1c8CJDT7l3slEcI0ufcpa6Cq313+CuX
X-Received: by 2002:aca:3110:: with SMTP id x16mr1024250oix.47.1586205097932;
        Mon, 06 Apr 2020 13:31:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586205097; cv=none;
        d=google.com; s=arc-20160816;
        b=lMFIv+deU+1rvwjVjk3e4vC+TcMkmIdJnhiTUVUXrDKvHed02K++mYXyZeaiu/nkiN
         zKpOszglTm2en4ZpsEyf0XesvYlpwyPVMEyiImqVrmy0goJy60mWZNbDtYL6iTroJjwX
         yAjz9aCXTN9FDQ64fh/7S95ythYgiSUR5pOG2oFoA2VGZG+kfP/F58Cfd8AjOf1IcTfK
         WvjvCKajAPaRfGapMjo5b5EgO9td9DyelZcAZDJwCV59cXwxM8Ex8FHaB6WF5N5DXvnp
         r+yd+6UY/asZFYPcPzY6VL3QaLEjEfHm9Dr4kaa0OiWNK/tYS3/KoCqNdovD8YfE8UJ6
         Rs8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=EcnyXZw2tQ6zFiRh0p8/u5BKFX2120yhCjKkY6rHPHg=;
        b=bLqyGRKLfHiEOlzDjfUClQSbUy9vkzR7ug6fRY/bNRheUmvJ1XAIa4GeZv1ybpPy3q
         o2OmDQivVLODijfGplKfXMQWAhVon9UYT1wHAqrSxaz9cjvqTmbYozSPGnw3NrH2a/Wr
         y78JfyLRw4GaIKhTgn+KjfiwSz+sqb6dSNjiPbVg1z8/AJ4zwuD9tGPD5t64jU8EVGzY
         RvlKyZT8Cx6WE7M0cebj5ZOB75sgTZno5xcOUQhNOINKP3CILd73PnxgwQjkzgAMJVCU
         PF6InlfOiNXrfo7D68Fh13CIrF0XZBh1dx2KOEH//cLt9Pmn3Tmb4aRWBJ6H3SvWRtNg
         jHSg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r19si277056otg.54.2020.04.06.13.31.25;
        Mon, 06 Apr 2020 13:31:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726230AbgDFUaw (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Mon, 6 Apr 2020 16:30:52 -0400
Received: from www62.your-server.de ([213.133.104.62]:53188 "EHLO
        www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725933AbgDFUaw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 6 Apr 2020 16:30:52 -0400
Received: from sslproxy05.your-server.de ([78.46.172.2])
        by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
        (Exim 4.89_1)
        (envelope-from <daniel@iogearbox.net>)
        id 1jLYOQ-0002uT-5R; Mon, 06 Apr 2020 22:30:50 +0200
Received: from [178.195.186.98] (helo=pc-9.home)
        by sslproxy05.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <daniel@iogearbox.net>)
        id 1jLYOP-0003f1-Rk; Mon, 06 Apr 2020 22:30:49 +0200
Subject: Re: [PATCH] device_cgroup: Cleanup cgroup eBPF device filter code
To:     Roman Gushchin <guro@fb.com>, Odin Ugedal <odin@ugedal.com>
Cc:     bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, tj@kernel.org,
        Harish.Kasiviswanathan@amd.com, amd-gfx@lists.freedesktop.org
References: <20200403175528.225990-1-odin@ugedal.com>
 <20200403223704.GA306670@carbon.dhcp.thefacebook.com>
From:   Daniel Borkmann <daniel@iogearbox.net>
Message-ID: <4264eb59-920e-20da-a256-23b6f0bbc95e@iogearbox.net>
Date:   Mon, 6 Apr 2020 22:30:49 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <20200403223704.GA306670@carbon.dhcp.thefacebook.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: daniel@iogearbox.net
X-Virus-Scanned: Clear (ClamAV 0.102.2/25774/Mon Apr  6 14:53:25 2020)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 4/4/20 12:37 AM, Roman Gushchin wrote:
> On Fri, Apr 03, 2020 at 07:55:28PM +0200, Odin Ugedal wrote:
>> Original cgroup v2 eBPF code for filtering device access made it
>> possible to compile with CONFIG_CGROUP_DEVICE=n and still use the eBPF
>> filtering. Change
>> commit 4b7d4d453fc4 ("device_cgroup: Export devcgroup_check_permission")
>> reverted this, making it required to set it to y.
>>
>> Since the device filtering (and all the docs) for cgroup v2 is no longer
>> a "device controller" like it was in v1, someone might compile their
>> kernel with CONFIG_CGROUP_DEVICE=n. Then (for linux 5.5+) the eBPF
>> filter will not be invoked, and all processes will be allowed access
>> to all devices, no matter what the eBPF filter says.
>>
>> Signed-off-by: Odin Ugedal <odin@ugedal.com>
> 
> The patch makes perfect sense to me.
> 
> Acked-by: Roman Gushchin <guro@fb.com>

Tejun, I presume you'll pick this up (given the files this fix touches)?

Thanks,
Daniel