summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-10-02 10:52:28 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2012-10-02 10:52:28 -0700
commit68d47a137c3bef754923bccf73fb639c9b0bbd5e (patch)
treee82a527bd978ee96283f03d0df36f47d9aee1e41 /security
parentc0e8a139a5bb8add02b4111e9e1957d810d7285e (diff)
parent8c7f6edbda01f1b1a2e60ad61f14fe38023e433b (diff)
downloadlinux-68d47a137c3bef754923bccf73fb639c9b0bbd5e.tar.bz2
Merge branch 'for-3.7-hierarchy' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
Pull cgroup hierarchy update from Tejun Heo: "Currently, different cgroup subsystems handle nested cgroups completely differently. There's no consistency among subsystems and the behaviors often are outright broken. People at least seem to agree that the broken hierarhcy behaviors need to be weeded out if any progress is gonna be made on this front and that the fallouts from deprecating the broken behaviors should be acceptable especially given that the current behaviors don't make much sense when nested. This patch makes cgroup emit warning messages if cgroups for subsystems with broken hierarchy behavior are nested to prepare for fixing them in the future. This was put in a separate branch because more related changes were expected (didn't make it this round) and the memory cgroup wanted to pull in this and make changes on top." * 'for-3.7-hierarchy' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup: mark subsystems with broken hierarchy support and whine if cgroups are nested for them
Diffstat (limited to 'security')
-rw-r--r--security/device_cgroup.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 442204cc22d9..4b877a92a7ea 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -457,6 +457,15 @@ struct cgroup_subsys devices_subsys = {
.destroy = devcgroup_destroy,
.subsys_id = devices_subsys_id,
.base_cftypes = dev_cgroup_files,
+
+ /*
+ * While devices cgroup has the rudimentary hierarchy support which
+ * checks the parent's restriction, it doesn't properly propagates
+ * config changes in ancestors to their descendents. A child
+ * should only be allowed to add more restrictions to the parent's
+ * configuration. Fix it and remove the following.
+ */
+ .broken_hierarchy = true,
};
int __devcgroup_inode_permission(struct inode *inode, int mask)