device_cgroup.c 17.5 KB
Newer Older
1
/*
2
 * device_cgroup.c - device cgroup subsystem
3 4 5 6 7 8 9 10 11
 *
 * Copyright 2007 IBM Corp
 */

#include <linux/device_cgroup.h>
#include <linux/cgroup.h>
#include <linux/ctype.h>
#include <linux/list.h>
#include <linux/uaccess.h>
12
#include <linux/seq_file.h>
13
#include <linux/slab.h>
14
#include <linux/rcupdate.h>
15
#include <linux/mutex.h>
16 17 18 19 20 21 22 23 24 25

#define ACC_MKNOD 1
#define ACC_READ  2
#define ACC_WRITE 4
#define ACC_MASK (ACC_MKNOD | ACC_READ | ACC_WRITE)

#define DEV_BLOCK 1
#define DEV_CHAR  2
#define DEV_ALL   4  /* this represents all devices */

26 27
static DEFINE_MUTEX(devcgroup_mutex);

28 29 30 31 32 33
enum devcg_behavior {
	DEVCG_DEFAULT_NONE,
	DEVCG_DEFAULT_ALLOW,
	DEVCG_DEFAULT_DENY,
};

34
/*
35
 * exception list locking rules:
36
 * hold devcgroup_mutex for update/read.
37
 * hold rcu_read_lock() for read.
38 39
 */

40
struct dev_exception_item {
41 42 43 44
	u32 major, minor;
	short type;
	short access;
	struct list_head list;
45
	struct rcu_head rcu;
46 47 48 49
};

struct dev_cgroup {
	struct cgroup_subsys_state css;
50
	struct list_head exceptions;
51
	enum devcg_behavior behavior;
52 53
};

54 55
static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
{
56
	return s ? container_of(s, struct dev_cgroup, css) : NULL;
57 58
}

59 60
static inline struct dev_cgroup *task_devcgroup(struct task_struct *task)
{
61
	return css_to_devcgroup(task_css(task, devices_cgrp_id));
62 63
}

64
/*
65
 * called under devcgroup_mutex
66
 */
67
static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig)
68
{
69
	struct dev_exception_item *ex, *tmp, *new;
70

71 72
	lockdep_assert_held(&devcgroup_mutex);

73 74
	list_for_each_entry(ex, orig, list) {
		new = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
75 76 77 78 79 80 81 82
		if (!new)
			goto free_and_exit;
		list_add_tail(&new->list, dest);
	}

	return 0;

free_and_exit:
83 84 85
	list_for_each_entry_safe(ex, tmp, dest, list) {
		list_del(&ex->list);
		kfree(ex);
86 87 88 89 90
	}
	return -ENOMEM;
}

/*
91
 * called under devcgroup_mutex
92
 */
93 94
static int dev_exception_add(struct dev_cgroup *dev_cgroup,
			     struct dev_exception_item *ex)
95
{
96
	struct dev_exception_item *excopy, *walk;
97

98 99
	lockdep_assert_held(&devcgroup_mutex);

100 101
	excopy = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
	if (!excopy)
102 103
		return -ENOMEM;

104 105
	list_for_each_entry(walk, &dev_cgroup->exceptions, list) {
		if (walk->type != ex->type)
106
			continue;
107
		if (walk->major != ex->major)
108
			continue;
109
		if (walk->minor != ex->minor)
110 111
			continue;

112 113 114
		walk->access |= ex->access;
		kfree(excopy);
		excopy = NULL;
115 116
	}

117 118
	if (excopy != NULL)
		list_add_tail_rcu(&excopy->list, &dev_cgroup->exceptions);
119 120 121 122
	return 0;
}

/*
123
 * called under devcgroup_mutex
124
 */
125 126
static void dev_exception_rm(struct dev_cgroup *dev_cgroup,
			     struct dev_exception_item *ex)
127
{
128
	struct dev_exception_item *walk, *tmp;
129

130 131
	lockdep_assert_held(&devcgroup_mutex);

132 133
	list_for_each_entry_safe(walk, tmp, &dev_cgroup->exceptions, list) {
		if (walk->type != ex->type)
134
			continue;
135
		if (walk->major != ex->major)
136
			continue;
137
		if (walk->minor != ex->minor)
138 139
			continue;

140
		walk->access &= ~ex->access;
141
		if (!walk->access) {
142
			list_del_rcu(&walk->list);
143
			kfree_rcu(walk, rcu);
144 145 146 147
		}
	}
}

148 149 150 151 152 153 154 155 156 157
static void __dev_exception_clean(struct dev_cgroup *dev_cgroup)
{
	struct dev_exception_item *ex, *tmp;

	list_for_each_entry_safe(ex, tmp, &dev_cgroup->exceptions, list) {
		list_del_rcu(&ex->list);
		kfree_rcu(ex, rcu);
	}
}

158
/**
159 160
 * dev_exception_clean - frees all entries of the exception list
 * @dev_cgroup: dev_cgroup with the exception list to be cleaned
161 162 163
 *
 * called under devcgroup_mutex
 */
164
static void dev_exception_clean(struct dev_cgroup *dev_cgroup)
165
{
166 167
	lockdep_assert_held(&devcgroup_mutex);

168
	__dev_exception_clean(dev_cgroup);
169 170
}

171 172 173 174 175
static inline bool is_devcg_online(const struct dev_cgroup *devcg)
{
	return (devcg->behavior != DEVCG_DEFAULT_NONE);
}

176 177 178
/**
 * devcgroup_online - initializes devcgroup's behavior and exceptions based on
 * 		      parent's
179
 * @css: css getting online
180 181
 * returns 0 in case of success, error code otherwise
 */
182
static int devcgroup_online(struct cgroup_subsys_state *css)
183
{
184 185
	struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
	struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css_parent(css));
186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202
	int ret = 0;

	mutex_lock(&devcgroup_mutex);

	if (parent_dev_cgroup == NULL)
		dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
	else {
		ret = dev_exceptions_copy(&dev_cgroup->exceptions,
					  &parent_dev_cgroup->exceptions);
		if (!ret)
			dev_cgroup->behavior = parent_dev_cgroup->behavior;
	}
	mutex_unlock(&devcgroup_mutex);

	return ret;
}

203
static void devcgroup_offline(struct cgroup_subsys_state *css)
204
{
205
	struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
206 207 208 209 210 211

	mutex_lock(&devcgroup_mutex);
	dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
	mutex_unlock(&devcgroup_mutex);
}

212 213 214
/*
 * called from kernel/cgroup.c with cgroup_lock() held.
 */
215 216
static struct cgroup_subsys_state *
devcgroup_css_alloc(struct cgroup_subsys_state *parent_css)
217
{
218
	struct dev_cgroup *dev_cgroup;
219 220 221 222

	dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL);
	if (!dev_cgroup)
		return ERR_PTR(-ENOMEM);
223
	INIT_LIST_HEAD(&dev_cgroup->exceptions);
224
	dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
225 226 227 228

	return &dev_cgroup->css;
}

229
static void devcgroup_css_free(struct cgroup_subsys_state *css)
230
{
231
	struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
232

233
	__dev_exception_clean(dev_cgroup);
234 235 236 237 238
	kfree(dev_cgroup);
}

#define DEVCG_ALLOW 1
#define DEVCG_DENY 2
239 240
#define DEVCG_LIST 3

241
#define MAJMINLEN 13
242
#define ACCLEN 4
243 244 245 246

static void set_access(char *acc, short access)
{
	int idx = 0;
247
	memset(acc, 0, ACCLEN);
248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266
	if (access & ACC_READ)
		acc[idx++] = 'r';
	if (access & ACC_WRITE)
		acc[idx++] = 'w';
	if (access & ACC_MKNOD)
		acc[idx++] = 'm';
}

static char type_to_char(short type)
{
	if (type == DEV_ALL)
		return 'a';
	if (type == DEV_CHAR)
		return 'c';
	if (type == DEV_BLOCK)
		return 'b';
	return 'X';
}

267
static void set_majmin(char *str, unsigned m)
268 269
{
	if (m == ~0)
Li Zefan's avatar
Li Zefan committed
270
		strcpy(str, "*");
271
	else
Li Zefan's avatar
Li Zefan committed
272
		sprintf(str, "%u", m);
273 274
}

275
static int devcgroup_seq_show(struct seq_file *m, void *v)
276
{
277
	struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m));
278
	struct dev_exception_item *ex;
279
	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
280

281
	rcu_read_lock();
282 283 284 285 286 287
	/*
	 * To preserve the compatibility:
	 * - Only show the "all devices" when the default policy is to allow
	 * - List the exceptions in case the default policy is to deny
	 * This way, the file remains as a "whitelist of devices"
	 */
288
	if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
289 290 291 292
		set_access(acc, ACC_MASK);
		set_majmin(maj, ~0);
		set_majmin(min, ~0);
		seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
293
			   maj, min, acc);
294
	} else {
295 296 297 298 299
		list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
			set_access(acc, ex->access);
			set_majmin(maj, ex->major);
			set_majmin(min, ex->minor);
			seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
300 301
				   maj, min, acc);
		}
302
	}
303
	rcu_read_unlock();
304

305
	return 0;
306 307
}

308
/**
309 310 311 312 313
 * may_access - verifies if a new exception is part of what is allowed
 *		by a dev cgroup based on the default policy +
 *		exceptions. This is used to make sure a child cgroup
 *		won't have more privileges than its parent or to
 *		verify if a certain access is allowed.
314
 * @dev_cgroup: dev cgroup to be tested against
315
 * @refex: new exception
316
 * @behavior: behavior of the exception
317
 */
318
static bool may_access(struct dev_cgroup *dev_cgroup,
319 320
		       struct dev_exception_item *refex,
		       enum devcg_behavior behavior)
321
{
322
	struct dev_exception_item *ex;
323
	bool match = false;
324

325 326 327 328
	rcu_lockdep_assert(rcu_read_lock_held() ||
			   lockdep_is_held(&devcgroup_mutex),
			   "device_cgroup::may_access() called without proper synchronization");

Tejun Heo's avatar
Tejun Heo committed
329
	list_for_each_entry_rcu(ex, &dev_cgroup->exceptions, list) {
330
		if ((refex->type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
331
			continue;
332
		if ((refex->type & DEV_CHAR) && !(ex->type & DEV_CHAR))
333
			continue;
334
		if (ex->major != ~0 && ex->major != refex->major)
335
			continue;
336
		if (ex->minor != ~0 && ex->minor != refex->minor)
337
			continue;
338
		if (refex->access & (~ex->access))
339
			continue;
340 341
		match = true;
		break;
342
	}
343

344 345 346 347 348 349 350 351 352 353 354 355
	if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW) {
		if (behavior == DEVCG_DEFAULT_ALLOW) {
			/* the exception will deny access to certain devices */
			return true;
		} else {
			/* the exception will allow access to certain devices */
			if (match)
				/*
				 * a new exception allowing access shouldn't
				 * match an parent's exception
				 */
				return false;
356
			return true;
357
		}
358
	} else {
359 360 361
		/* only behavior == DEVCG_DEFAULT_DENY allowed here */
		if (match)
			/* parent has an exception that matches the proposed */
362
			return true;
363 364
		else
			return false;
365 366
	}
	return false;
367 368 369 370
}

/*
 * parent_has_perm:
371
 * when adding a new allow rule to a device exception list, the rule
372 373
 * must be allowed in the parent device
 */
374
static int parent_has_perm(struct dev_cgroup *childcg,
375
				  struct dev_exception_item *ex)
376
{
Tejun Heo's avatar
Tejun Heo committed
377
	struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css));
378

Tejun Heo's avatar
Tejun Heo committed
379
	if (!parent)
380
		return 1;
381
	return may_access(parent, ex, childcg->behavior);
382 383
}

384 385 386 387 388 389 390 391
/**
 * may_allow_all - checks if it's possible to change the behavior to
 *		   allow based on parent's rules.
 * @parent: device cgroup's parent
 * returns: != 0 in case it's allowed, 0 otherwise
 */
static inline int may_allow_all(struct dev_cgroup *parent)
{
392 393
	if (!parent)
		return 1;
394 395 396
	return parent->behavior == DEVCG_DEFAULT_ALLOW;
}

397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431
/**
 * revalidate_active_exceptions - walks through the active exception list and
 * 				  revalidates the exceptions based on parent's
 * 				  behavior and exceptions. The exceptions that
 * 				  are no longer valid will be removed.
 * 				  Called with devcgroup_mutex held.
 * @devcg: cgroup which exceptions will be checked
 *
 * This is one of the three key functions for hierarchy implementation.
 * This function is responsible for re-evaluating all the cgroup's active
 * exceptions due to a parent's exception change.
 * Refer to Documentation/cgroups/devices.txt for more details.
 */
static void revalidate_active_exceptions(struct dev_cgroup *devcg)
{
	struct dev_exception_item *ex;
	struct list_head *this, *tmp;

	list_for_each_safe(this, tmp, &devcg->exceptions) {
		ex = container_of(this, struct dev_exception_item, list);
		if (!parent_has_perm(devcg, ex))
			dev_exception_rm(devcg, ex);
	}
}

/**
 * propagate_exception - propagates a new exception to the children
 * @devcg_root: device cgroup that added a new exception
 * @ex: new exception to be propagated
 *
 * returns: 0 in case of success, != 0 in case of error
 */
static int propagate_exception(struct dev_cgroup *devcg_root,
			       struct dev_exception_item *ex)
{
432
	struct cgroup_subsys_state *pos;
433 434
	int rc = 0;

435
	rcu_read_lock();
436

437 438
	css_for_each_descendant_pre(pos, &devcg_root->css) {
		struct dev_cgroup *devcg = css_to_devcgroup(pos);
439 440 441 442 443 444 445

		/*
		 * Because devcgroup_mutex is held, no devcg will become
		 * online or offline during the tree walk (see on/offline
		 * methods), and online ones are safe to access outside RCU
		 * read lock without bumping refcnt.
		 */
446
		if (pos == &devcg_root->css || !is_devcg_online(devcg))
447 448 449
			continue;

		rcu_read_unlock();
450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470

		/*
		 * in case both root's behavior and devcg is allow, a new
		 * restriction means adding to the exception list
		 */
		if (devcg_root->behavior == DEVCG_DEFAULT_ALLOW &&
		    devcg->behavior == DEVCG_DEFAULT_ALLOW) {
			rc = dev_exception_add(devcg, ex);
			if (rc)
				break;
		} else {
			/*
			 * in the other possible cases:
			 * root's behavior: allow, devcg's: deny
			 * root's behavior: deny, devcg's: deny
			 * the exception will be removed
			 */
			dev_exception_rm(devcg, ex);
		}
		revalidate_active_exceptions(devcg);

471
		rcu_read_lock();
472
	}
473 474

	rcu_read_unlock();
475 476 477 478 479 480 481 482 483 484
	return rc;
}

static inline bool has_children(struct dev_cgroup *devcgroup)
{
	struct cgroup *cgrp = devcgroup->css.cgroup;

	return !list_empty(&cgrp->children);
}

485
/*
486
 * Modify the exception list using allow/deny rules.
487 488
 * CAP_SYS_ADMIN is needed for this.  It's at least separate from CAP_MKNOD
 * so we can give a container CAP_MKNOD to let it create devices but not
489
 * modify the exception list.
490 491
 * It seems likely we'll want to add a CAP_CONTAINER capability to allow
 * us to also grant CAP_SYS_ADMIN to containers without giving away the
492
 * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN
493 494 495 496 497
 *
 * Taking rules away is always allowed (given CAP_SYS_ADMIN).  Granting
 * new access is only allowed if you're in the top-level cgroup, or your
 * parent cgroup has the access you're asking for.
 */
498 499
static int devcgroup_update_access(struct dev_cgroup *devcgroup,
				   int filetype, const char *buffer)
500
{
501
	const char *b;
502
	char temp[12];		/* 11 + 1 characters needed for a u32 */
503
	int count, rc = 0;
504
	struct dev_exception_item ex;
Tejun Heo's avatar
Tejun Heo committed
505
	struct dev_cgroup *parent = css_to_devcgroup(css_parent(&devcgroup->css));
506 507 508 509

	if (!capable(CAP_SYS_ADMIN))
		return -EPERM;

510
	memset(&ex, 0, sizeof(ex));
511 512 513 514
	b = buffer;

	switch (*b) {
	case 'a':
515 516
		switch (filetype) {
		case DEVCG_ALLOW:
517 518 519
			if (has_children(devcgroup))
				return -EINVAL;

520
			if (!may_allow_all(parent))
521
				return -EPERM;
522
			dev_exception_clean(devcgroup);
523 524 525 526
			devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
			if (!parent)
				break;

527 528 529 530
			rc = dev_exceptions_copy(&devcgroup->exceptions,
						 &parent->exceptions);
			if (rc)
				return rc;
531 532
			break;
		case DEVCG_DENY:
533 534 535
			if (has_children(devcgroup))
				return -EINVAL;

536
			dev_exception_clean(devcgroup);
537
			devcgroup->behavior = DEVCG_DEFAULT_DENY;
538 539 540 541 542
			break;
		default:
			return -EINVAL;
		}
		return 0;
543
	case 'b':
544
		ex.type = DEV_BLOCK;
545 546
		break;
	case 'c':
547
		ex.type = DEV_CHAR;
548 549
		break;
	default:
550
		return -EINVAL;
551 552
	}
	b++;
553 554
	if (!isspace(*b))
		return -EINVAL;
555 556
	b++;
	if (*b == '*') {
557
		ex.major = ~0;
558 559
		b++;
	} else if (isdigit(*b)) {
560 561 562 563 564 565 566 567 568 569
		memset(temp, 0, sizeof(temp));
		for (count = 0; count < sizeof(temp) - 1; count++) {
			temp[count] = *b;
			b++;
			if (!isdigit(*b))
				break;
		}
		rc = kstrtou32(temp, 10, &ex.major);
		if (rc)
			return -EINVAL;
570
	} else {
571
		return -EINVAL;
572
	}
573 574
	if (*b != ':')
		return -EINVAL;
575 576 577 578
	b++;

	/* read minor */
	if (*b == '*') {
579
		ex.minor = ~0;
580 581
		b++;
	} else if (isdigit(*b)) {
582 583 584 585 586 587 588 589 590 591
		memset(temp, 0, sizeof(temp));
		for (count = 0; count < sizeof(temp) - 1; count++) {
			temp[count] = *b;
			b++;
			if (!isdigit(*b))
				break;
		}
		rc = kstrtou32(temp, 10, &ex.minor);
		if (rc)
			return -EINVAL;
592
	} else {
593
		return -EINVAL;
594
	}
595 596
	if (!isspace(*b))
		return -EINVAL;
597 598 599
	for (b++, count = 0; count < 3; count++, b++) {
		switch (*b) {
		case 'r':
600
			ex.access |= ACC_READ;
601 602
			break;
		case 'w':
603
			ex.access |= ACC_WRITE;
604 605
			break;
		case 'm':
606
			ex.access |= ACC_MKNOD;
607 608 609 610 611 612
			break;
		case '\n':
		case '\0':
			count = 3;
			break;
		default:
613
			return -EINVAL;
614 615 616 617 618
		}
	}

	switch (filetype) {
	case DEVCG_ALLOW:
619
		if (!parent_has_perm(devcgroup, &ex))
620
			return -EPERM;
621 622 623 624 625
		/*
		 * If the default policy is to allow by default, try to remove
		 * an matching exception instead. And be silent about it: we
		 * don't want to break compatibility
		 */
626
		if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
627
			dev_exception_rm(devcgroup, &ex);
628 629
			return 0;
		}
630 631
		rc = dev_exception_add(devcgroup, &ex);
		break;
632
	case DEVCG_DENY:
633 634 635 636 637
		/*
		 * If the default policy is to deny by default, try to remove
		 * an matching exception instead. And be silent about it: we
		 * don't want to break compatibility
		 */
638
		if (devcgroup->behavior == DEVCG_DEFAULT_DENY)
639
			dev_exception_rm(devcgroup, &ex);
640 641 642 643 644 645 646 647
		else
			rc = dev_exception_add(devcgroup, &ex);

		if (rc)
			break;
		/* we only propagate new restrictions */
		rc = propagate_exception(devcgroup, &ex);
		break;
648
	default:
649
		rc = -EINVAL;
650
	}
651
	return rc;
652
}
653

654 655
static int devcgroup_access_write(struct cgroup_subsys_state *css,
				  struct cftype *cft, const char *buffer)
656 657
{
	int retval;
658 659

	mutex_lock(&devcgroup_mutex);
660
	retval = devcgroup_update_access(css_to_devcgroup(css),
661
					 cft->private, buffer);
662
	mutex_unlock(&devcgroup_mutex);
663 664 665 666 667 668
	return retval;
}

static struct cftype dev_cgroup_files[] = {
	{
		.name = "allow",
669
		.write_string  = devcgroup_access_write,
670 671 672 673
		.private = DEVCG_ALLOW,
	},
	{
		.name = "deny",
674
		.write_string = devcgroup_access_write,
675 676
		.private = DEVCG_DENY,
	},
677 678
	{
		.name = "list",
679
		.seq_show = devcgroup_seq_show,
680 681
		.private = DEVCG_LIST,
	},
682
	{ }	/* terminate */
683 684
};

685
struct cgroup_subsys devices_cgrp_subsys = {
686 687
	.css_alloc = devcgroup_css_alloc,
	.css_free = devcgroup_css_free,
688 689
	.css_online = devcgroup_online,
	.css_offline = devcgroup_offline,
690
	.base_cftypes = dev_cgroup_files,
691 692
};

693 694 695 696 697 698 699 700 701 702
/**
 * __devcgroup_check_permission - checks if an inode operation is permitted
 * @dev_cgroup: the dev cgroup to be tested against
 * @type: device type
 * @major: device major number
 * @minor: device minor number
 * @access: combination of ACC_WRITE, ACC_READ and ACC_MKNOD
 *
 * returns 0 on success, -EPERM case the operation is not permitted
 */
703
static int __devcgroup_check_permission(short type, u32 major, u32 minor,
704
				        short access)
705
{
706
	struct dev_cgroup *dev_cgroup;
707
	struct dev_exception_item ex;
708
	int rc;
709

710 711 712 713 714
	memset(&ex, 0, sizeof(ex));
	ex.type = type;
	ex.major = major;
	ex.minor = minor;
	ex.access = access;
715

716
	rcu_read_lock();
717
	dev_cgroup = task_devcgroup(current);
718
	rc = may_access(dev_cgroup, &ex, dev_cgroup->behavior);
719
	rcu_read_unlock();
720

721 722
	if (!rc)
		return -EPERM;
723

724 725
	return 0;
}
726

727 728 729 730 731 732 733 734 735 736 737 738 739
int __devcgroup_inode_permission(struct inode *inode, int mask)
{
	short type, access = 0;

	if (S_ISBLK(inode->i_mode))
		type = DEV_BLOCK;
	if (S_ISCHR(inode->i_mode))
		type = DEV_CHAR;
	if (mask & MAY_WRITE)
		access |= ACC_WRITE;
	if (mask & MAY_READ)
		access |= ACC_READ;

740 741
	return __devcgroup_check_permission(type, imajor(inode), iminor(inode),
			access);
742 743 744 745
}

int devcgroup_inode_mknod(int mode, dev_t dev)
{
746
	short type;
747

748 749 750
	if (!S_ISBLK(mode) && !S_ISCHR(mode))
		return 0;

751 752 753 754
	if (S_ISBLK(mode))
		type = DEV_BLOCK;
	else
		type = DEV_CHAR;
755

756 757
	return __devcgroup_check_permission(type, MAJOR(dev), MINOR(dev),
			ACC_MKNOD);
758

759
}