devcgroup: fix permission check when adding entry to child cgroup

Li Zefan · torvalds · commit ec229e830060 · 2008-07-13T12:51:18.000-07:00
# cat devices.list
 c 1:3 r
 # echo 'c 1:3 w' &gt; sub/devices.allow
 # cat sub/devices.list
 c 1:3 w

As illustrated, the parent group has no write permission to /dev/null, so
it's child should not be allowed to add this write permission.

Signed-off-by: Li Zefan &lt;lizf@cn.fujitsu.com&gt;
Acked-by: Serge Hallyn &lt;serue@us.ibm.com&gt;
Cc: Serge Hallyn &lt;serue@us.ibm.com&gt;
Cc: Paul Menage &lt;menage@google.com&gt;
Cc: Pavel Emelyanov &lt;xemul@openvz.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
@@ -300,7 +300,7 @@ static int may_access_whitelist(struct dev_cgroup *c,
 			continue;
 		if (whitem->minor != ~0 && whitem->minor != refwh->minor)
 			continue;
-		if (refwh->access & (~(whitem->access | ACC_MASK)))
+		if (refwh->access & (~whitem->access))
 			continue;
 		return 1;
 	}

Original file line number	Diff line number	Diff line change
`@@ -300,7 +300,7 @@ static int may_access_whitelist(struct dev_cgroup *c,`
`300`	`300`	`continue;`
`301`	`301`	`if (whitem->minor != ~0 && whitem->minor != refwh->minor)`
`302`	`302`	`continue;`
`303`		`- if (refwh->access & (~(whitem->access \| ACC_MASK)))`
	`303`	`+ if (refwh->access & (~whitem->access))`
`304`	`304`	`continue;`
`305`	`305`	`return 1;`
`306`	`306`	`}`