diff options
| author | Amit Pundir <amit.pundir@linaro.org> | 2016-02-18 00:20:12 +0530 |
|---|---|---|
| committer | Amit Pundir <amit.pundir@linaro.org> | 2016-02-18 00:20:12 +0530 |
| commit | 02bbd06e489a9f56910973535152d3ec47f3fdcc (patch) | |
| tree | 93a9a4d687da4d423c92cc4a82001f3792c0b259 /kernel/cgroup.c | |
| parent | 34f6d2c9d12a97271d55c7b204443b2da9e6c29e (diff) | |
| parent | 3d0f8b944b0ab4ec79d8d0b93d8038971095337a (diff) | |
Merge branch 'android-4.4' of https://android.googlesource.com/kernel/common
* android-4.4: (475 commits)
android: base-cfg: Add CONFIG_IP_MULTICAST
android: recommended.cfg: enable taskstats
ANDROID: android: base-cfg: disable CONFIG_SYSVIPC
android: configs: base: enable configfs gadget functions
android: add CONFIG_DEBUG_RODATA to recommended config
android: configs: remove CONFIG_BATTERY_ANDROID=y
android: configs: base: enable IPV6
android: configs: Enable SELinux and its dependencies.
android: base-cfg: disable ALARM_DEV
android: base-cfg: turn off /dev/mem and /dev/kmem
android: base-cfg: enable ARMV8_DEPRECATED and subfeatures
android: base-cfg: enforce the needed XFRM_MODE_TUNNEL (for VPN)
android: base-cfg: disable LOGGER
android: base-cfg: enable DM_VERITY (used for secureboot)
android: configs: add systrace support to recommended configs
android: configs: update 3.10 options
android: configs: Add CONFIG_NETFILTER_XT_TARGET_IDLETIMER
android: configs: add IPV6 ROUTE INFO
android: configs: add TIMER_STATS back, helps with sysrq t.
android: configs: Add HIDRAW to recommended set
...
Diffstat (limited to 'kernel/cgroup.c')
| -rw-r--r-- | kernel/cgroup.c | 59 |
1 files changed, 57 insertions, 2 deletions
diff --git a/kernel/cgroup.c b/kernel/cgroup.c index 470f6536b9e8..a57b7c86871c 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -2663,6 +2663,45 @@ static int cgroup_attach_task(struct cgroup *dst_cgrp, return ret; } +int subsys_cgroup_allow_attach(struct cgroup_taskset *tset) +{ + const struct cred *cred = current_cred(), *tcred; + struct task_struct *task; + struct cgroup_subsys_state *css; + + if (capable(CAP_SYS_NICE)) + return 0; + + cgroup_taskset_for_each(task, css, tset) { + tcred = __task_cred(task); + + if (current != task && !uid_eq(cred->euid, tcred->uid) && + !uid_eq(cred->euid, tcred->suid)) + return -EACCES; + } + + return 0; +} + +static int cgroup_allow_attach(struct cgroup *cgrp, struct cgroup_taskset *tset) +{ + struct cgroup_subsys_state *css; + int i; + int ret; + + for_each_css(css, i, cgrp) { + if (css->ss->allow_attach) { + ret = css->ss->allow_attach(tset); + if (ret) + return ret; + } else { + return -EACCES; + } + } + + return 0; +} + static int cgroup_procs_write_permission(struct task_struct *task, struct cgroup *dst_cgrp, struct kernfs_open_file *of) @@ -2677,8 +2716,24 @@ static int cgroup_procs_write_permission(struct task_struct *task, */ if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) && !uid_eq(cred->euid, tcred->uid) && - !uid_eq(cred->euid, tcred->suid)) - ret = -EACCES; + !uid_eq(cred->euid, tcred->suid)) { + /* + * if the default permission check fails, give each + * cgroup a chance to extend the permission check + */ + struct cgroup_taskset tset = { + .src_csets = LIST_HEAD_INIT(tset.src_csets), + .dst_csets = LIST_HEAD_INIT(tset.dst_csets), + .csets = &tset.src_csets, + }; + struct css_set *cset; + cset = task_css_set(task); + list_add(&cset->mg_node, &tset.src_csets); + ret = cgroup_allow_attach(dst_cgrp, &tset); + list_del(&tset.src_csets); + if (ret) + ret = -EACCES; + } if (!ret && cgroup_on_dfl(dst_cgrp)) { struct super_block *sb = of->file->f_path.dentry->d_sb; |