devscgroup: check for device permissions at mount time
authorPavel Emelyanov <xemul@openvz.org>
Fri, 6 Jun 2008 05:46:27 +0000 (22:46 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 6 Jun 2008 18:29:11 +0000 (11:29 -0700)
Currently even if a task sits in an all-denied cgroup it can still mount
any block device in any mode it wants.

Put a proper check in do_open for block device to prevent this.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Tested-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/block_dev.c

index 7d822fae7765b2bfdf0978e8ecf1296875073e85..470c10ceb0fb3a33dc8f28e7e8b2d3535042075b 100644 (file)
@@ -12,6 +12,7 @@
 #include <linux/kmod.h>
 #include <linux/major.h>
 #include <linux/smp_lock.h>
+#include <linux/device_cgroup.h>
 #include <linux/highmem.h>
 #include <linux/blkdev.h>
 #include <linux/module.h>
@@ -928,9 +929,14 @@ static int do_open(struct block_device *bdev, struct file *file, int for_part)
 {
        struct module *owner = NULL;
        struct gendisk *disk;
-       int ret = -ENXIO;
+       int ret;
        int part;
 
+       ret = devcgroup_inode_permission(bdev->bd_inode, file->f_mode);
+       if (ret != 0)
+               return ret;
+
+       ret = -ENXIO;
        file->f_mapping = bdev->bd_inode->i_mapping;
        lock_kernel();
        disk = get_gendisk(bdev->bd_dev, &part);