Skip to content

Commit

Permalink
devices cgroup: allow mkfifo
Browse files Browse the repository at this point in the history 
The devcgroup_inode_permission() hook in the devices whitelist cgroup has
always bypassed access checks on fifos.  But the mknod hook did not.  The
devices whitelist is only about block and char devices, and fifos can't
even be added to the whitelist, so fifos can't be created at all except by
tasks which have 'a' in their whitelist (meaning they have access to all
devices).

Fix the behavior by bypassing access checks to mkfifo.

Signed-off-by: Serge E. Hallyn <[email protected]>
Cc: Li Zefan <[email protected]>
Cc: Pavel Emelyanov <[email protected]>
Cc: Paul Menage <[email protected]>
Cc: Lai Jiangshan <[email protected]>
Cc: KOSAKI Motohiro <[email protected]>
Cc: James Morris <[email protected]>
Reported-by: Daniel Lezcano <[email protected]>
Cc: <[email protected]>		[2.6.27.x]
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@torvalds
Serge E. Hallyn authored and torvalds committed Jan 8, 2009
1 parent 116e057 commit 0b82ac3
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions security/device_cgroup.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,9 @@ int devcgroup_inode_mknod(int mode, dev_t dev)
struct dev_cgroup *dev_cgroup;
struct dev_whitelist_item *wh;

if (!S_ISBLK(mode) && !S_ISCHR(mode))
return 0;

rcu_read_lock();

dev_cgroup = task_devcgroup(current);
Expand Down

0 comments on commit 0b82ac3

Please sign in to comment.