device_cgroup.c 17.6 KB
Newer Older
1
/*
2
 * device_cgroup.c - device cgroup subsystem
3 4 5 6 7 8 9 10 11
 *
 * Copyright 2007 IBM Corp
 */

#include <linux/device_cgroup.h>
#include <linux/cgroup.h>
#include <linux/ctype.h>
#include <linux/list.h>
#include <linux/uaccess.h>
12
#include <linux/seq_file.h>
13
#include <linux/slab.h>
14
#include <linux/rcupdate.h>
15
#include <linux/mutex.h>
16 17 18 19 20 21 22 23 24 25

#define ACC_MKNOD 1
#define ACC_READ  2
#define ACC_WRITE 4
#define ACC_MASK (ACC_MKNOD | ACC_READ | ACC_WRITE)

#define DEV_BLOCK 1
#define DEV_CHAR  2
#define DEV_ALL   4  /* this represents all devices */

26 27
static DEFINE_MUTEX(devcgroup_mutex);

28 29 30 31 32 33
enum devcg_behavior {
	DEVCG_DEFAULT_NONE,
	DEVCG_DEFAULT_ALLOW,
	DEVCG_DEFAULT_DENY,
};

34
/*
35
 * exception list locking rules:
36
 * hold devcgroup_mutex for update/read.
37
 * hold rcu_read_lock() for read.
38 39
 */

40
struct dev_exception_item {
41 42 43 44
	u32 major, minor;
	short type;
	short access;
	struct list_head list;
45
	struct rcu_head rcu;
46 47 48 49
};

struct dev_cgroup {
	struct cgroup_subsys_state css;
50
	struct list_head exceptions;
51
	enum devcg_behavior behavior;
52 53
};

54 55
static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
{
56
	return s ? container_of(s, struct dev_cgroup, css) : NULL;
57 58
}

59 60
static inline struct dev_cgroup *task_devcgroup(struct task_struct *task)
{
61
	return css_to_devcgroup(task_css(task, devices_subsys_id));
62 63
}

64 65 66
struct cgroup_subsys devices_subsys;

/*
67
 * called under devcgroup_mutex
68
 */
69
static int dev_exceptions_copy(struct list_head *dest, struct list_head *orig)
70
{
71
	struct dev_exception_item *ex, *tmp, *new;
72

73 74
	lockdep_assert_held(&devcgroup_mutex);

75 76
	list_for_each_entry(ex, orig, list) {
		new = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
77 78 79 80 81 82 83 84
		if (!new)
			goto free_and_exit;
		list_add_tail(&new->list, dest);
	}

	return 0;

free_and_exit:
85 86 87
	list_for_each_entry_safe(ex, tmp, dest, list) {
		list_del(&ex->list);
		kfree(ex);
88 89 90 91 92
	}
	return -ENOMEM;
}

/*
93
 * called under devcgroup_mutex
94
 */
95 96
static int dev_exception_add(struct dev_cgroup *dev_cgroup,
			     struct dev_exception_item *ex)
97
{
98
	struct dev_exception_item *excopy, *walk;
99

100 101
	lockdep_assert_held(&devcgroup_mutex);

102 103
	excopy = kmemdup(ex, sizeof(*ex), GFP_KERNEL);
	if (!excopy)
104 105
		return -ENOMEM;

106 107
	list_for_each_entry(walk, &dev_cgroup->exceptions, list) {
		if (walk->type != ex->type)
108
			continue;
109
		if (walk->major != ex->major)
110
			continue;
111
		if (walk->minor != ex->minor)
112 113
			continue;

114 115 116
		walk->access |= ex->access;
		kfree(excopy);
		excopy = NULL;
117 118
	}

119 120
	if (excopy != NULL)
		list_add_tail_rcu(&excopy->list, &dev_cgroup->exceptions);
121 122 123 124
	return 0;
}

/*
125
 * called under devcgroup_mutex
126
 */
127 128
static void dev_exception_rm(struct dev_cgroup *dev_cgroup,
			     struct dev_exception_item *ex)
129
{
130
	struct dev_exception_item *walk, *tmp;
131

132 133
	lockdep_assert_held(&devcgroup_mutex);

134 135
	list_for_each_entry_safe(walk, tmp, &dev_cgroup->exceptions, list) {
		if (walk->type != ex->type)
136
			continue;
137
		if (walk->major != ex->major)
138
			continue;
139
		if (walk->minor != ex->minor)
140 141
			continue;

142
		walk->access &= ~ex->access;
143
		if (!walk->access) {
144
			list_del_rcu(&walk->list);
145
			kfree_rcu(walk, rcu);
146 147 148 149
		}
	}
}

150 151 152 153 154 155 156 157 158 159
static void __dev_exception_clean(struct dev_cgroup *dev_cgroup)
{
	struct dev_exception_item *ex, *tmp;

	list_for_each_entry_safe(ex, tmp, &dev_cgroup->exceptions, list) {
		list_del_rcu(&ex->list);
		kfree_rcu(ex, rcu);
	}
}

160
/**
161 162
 * dev_exception_clean - frees all entries of the exception list
 * @dev_cgroup: dev_cgroup with the exception list to be cleaned
163 164 165
 *
 * called under devcgroup_mutex
 */
166
static void dev_exception_clean(struct dev_cgroup *dev_cgroup)
167
{
168 169
	lockdep_assert_held(&devcgroup_mutex);

170
	__dev_exception_clean(dev_cgroup);
171 172
}

173 174 175 176 177
static inline bool is_devcg_online(const struct dev_cgroup *devcg)
{
	return (devcg->behavior != DEVCG_DEFAULT_NONE);
}

178 179 180
/**
 * devcgroup_online - initializes devcgroup's behavior and exceptions based on
 * 		      parent's
181
 * @css: css getting online
182 183
 * returns 0 in case of success, error code otherwise
 */
184
static int devcgroup_online(struct cgroup_subsys_state *css)
185
{
186 187
	struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
	struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css_parent(css));
188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204
	int ret = 0;

	mutex_lock(&devcgroup_mutex);

	if (parent_dev_cgroup == NULL)
		dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
	else {
		ret = dev_exceptions_copy(&dev_cgroup->exceptions,
					  &parent_dev_cgroup->exceptions);
		if (!ret)
			dev_cgroup->behavior = parent_dev_cgroup->behavior;
	}
	mutex_unlock(&devcgroup_mutex);

	return ret;
}

205
static void devcgroup_offline(struct cgroup_subsys_state *css)
206
{
207
	struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
208 209 210 211 212 213

	mutex_lock(&devcgroup_mutex);
	dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
	mutex_unlock(&devcgroup_mutex);
}

214 215 216
/*
 * called from kernel/cgroup.c with cgroup_lock() held.
 */
217 218
static struct cgroup_subsys_state *
devcgroup_css_alloc(struct cgroup_subsys_state *parent_css)
219
{
220
	struct dev_cgroup *dev_cgroup;
221 222 223 224

	dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL);
	if (!dev_cgroup)
		return ERR_PTR(-ENOMEM);
225
	INIT_LIST_HEAD(&dev_cgroup->exceptions);
226
	dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
227 228 229 230

	return &dev_cgroup->css;
}

231
static void devcgroup_css_free(struct cgroup_subsys_state *css)
232
{
233
	struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
234

235
	__dev_exception_clean(dev_cgroup);
236 237 238 239 240
	kfree(dev_cgroup);
}

#define DEVCG_ALLOW 1
#define DEVCG_DENY 2
241 242
#define DEVCG_LIST 3

243
#define MAJMINLEN 13
244
#define ACCLEN 4
245 246 247 248

static void set_access(char *acc, short access)
{
	int idx = 0;
249
	memset(acc, 0, ACCLEN);
250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268
	if (access & ACC_READ)
		acc[idx++] = 'r';
	if (access & ACC_WRITE)
		acc[idx++] = 'w';
	if (access & ACC_MKNOD)
		acc[idx++] = 'm';
}

static char type_to_char(short type)
{
	if (type == DEV_ALL)
		return 'a';
	if (type == DEV_CHAR)
		return 'c';
	if (type == DEV_BLOCK)
		return 'b';
	return 'X';
}

269
static void set_majmin(char *str, unsigned m)
270 271
{
	if (m == ~0)
Li Zefan's avatar
Li Zefan committed
272
		strcpy(str, "*");
273
	else
Li Zefan's avatar
Li Zefan committed
274
		sprintf(str, "%u", m);
275 276
}

277 278
static int devcgroup_seq_read(struct cgroup_subsys_state *css,
			      struct cftype *cft, struct seq_file *m)
279
{
280
	struct dev_cgroup *devcgroup = css_to_devcgroup(css);
281
	struct dev_exception_item *ex;
282
	char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
283

284
	rcu_read_lock();
285 286 287 288 289 290
	/*
	 * To preserve the compatibility:
	 * - Only show the "all devices" when the default policy is to allow
	 * - List the exceptions in case the default policy is to deny
	 * This way, the file remains as a "whitelist of devices"
	 */
291
	if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
292 293 294 295
		set_access(acc, ACC_MASK);
		set_majmin(maj, ~0);
		set_majmin(min, ~0);
		seq_printf(m, "%c %s:%s %s\n", type_to_char(DEV_ALL),
296
			   maj, min, acc);
297
	} else {
298 299 300 301 302
		list_for_each_entry_rcu(ex, &devcgroup->exceptions, list) {
			set_access(acc, ex->access);
			set_majmin(maj, ex->major);
			set_majmin(min, ex->minor);
			seq_printf(m, "%c %s:%s %s\n", type_to_char(ex->type),
303 304
				   maj, min, acc);
		}
305
	}
306
	rcu_read_unlock();
307

308
	return 0;
309 310
}

311
/**
312 313 314 315 316
 * may_access - verifies if a new exception is part of what is allowed
 *		by a dev cgroup based on the default policy +
 *		exceptions. This is used to make sure a child cgroup
 *		won't have more privileges than its parent or to
 *		verify if a certain access is allowed.
317
 * @dev_cgroup: dev cgroup to be tested against
318
 * @refex: new exception
319
 * @behavior: behavior of the exception
320
 */
321
static bool may_access(struct dev_cgroup *dev_cgroup,
322 323
		       struct dev_exception_item *refex,
		       enum devcg_behavior behavior)
324
{
325
	struct dev_exception_item *ex;
326
	bool match = false;
327

328 329 330 331
	rcu_lockdep_assert(rcu_read_lock_held() ||
			   lockdep_is_held(&devcgroup_mutex),
			   "device_cgroup::may_access() called without proper synchronization");

Tejun Heo's avatar
Tejun Heo committed
332
	list_for_each_entry_rcu(ex, &dev_cgroup->exceptions, list) {
333
		if ((refex->type & DEV_BLOCK) && !(ex->type & DEV_BLOCK))
334
			continue;
335
		if ((refex->type & DEV_CHAR) && !(ex->type & DEV_CHAR))
336
			continue;
337
		if (ex->major != ~0 && ex->major != refex->major)
338
			continue;
339
		if (ex->minor != ~0 && ex->minor != refex->minor)
340
			continue;
341
		if (refex->access & (~ex->access))
342
			continue;
343 344
		match = true;
		break;
345
	}
346

347 348 349 350 351 352 353 354 355 356 357 358
	if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW) {
		if (behavior == DEVCG_DEFAULT_ALLOW) {
			/* the exception will deny access to certain devices */
			return true;
		} else {
			/* the exception will allow access to certain devices */
			if (match)
				/*
				 * a new exception allowing access shouldn't
				 * match an parent's exception
				 */
				return false;
359
			return true;
360
		}
361
	} else {
362 363 364
		/* only behavior == DEVCG_DEFAULT_DENY allowed here */
		if (match)
			/* parent has an exception that matches the proposed */
365
			return true;
366 367
		else
			return false;
368 369
	}
	return false;
370 371 372 373
}

/*
 * parent_has_perm:
374
 * when adding a new allow rule to a device exception list, the rule
375 376
 * must be allowed in the parent device
 */
377
static int parent_has_perm(struct dev_cgroup *childcg,
378
				  struct dev_exception_item *ex)
379
{
Tejun Heo's avatar
Tejun Heo committed
380
	struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css));
381

Tejun Heo's avatar
Tejun Heo committed
382
	if (!parent)
383
		return 1;
384
	return may_access(parent, ex, childcg->behavior);
385 386
}

387 388 389 390 391 392 393 394
/**
 * may_allow_all - checks if it's possible to change the behavior to
 *		   allow based on parent's rules.
 * @parent: device cgroup's parent
 * returns: != 0 in case it's allowed, 0 otherwise
 */
static inline int may_allow_all(struct dev_cgroup *parent)
{
395 396
	if (!parent)
		return 1;
397 398 399
	return parent->behavior == DEVCG_DEFAULT_ALLOW;
}

400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434
/**
 * revalidate_active_exceptions - walks through the active exception list and
 * 				  revalidates the exceptions based on parent's
 * 				  behavior and exceptions. The exceptions that
 * 				  are no longer valid will be removed.
 * 				  Called with devcgroup_mutex held.
 * @devcg: cgroup which exceptions will be checked
 *
 * This is one of the three key functions for hierarchy implementation.
 * This function is responsible for re-evaluating all the cgroup's active
 * exceptions due to a parent's exception change.
 * Refer to Documentation/cgroups/devices.txt for more details.
 */
static void revalidate_active_exceptions(struct dev_cgroup *devcg)
{
	struct dev_exception_item *ex;
	struct list_head *this, *tmp;

	list_for_each_safe(this, tmp, &devcg->exceptions) {
		ex = container_of(this, struct dev_exception_item, list);
		if (!parent_has_perm(devcg, ex))
			dev_exception_rm(devcg, ex);
	}
}

/**
 * propagate_exception - propagates a new exception to the children
 * @devcg_root: device cgroup that added a new exception
 * @ex: new exception to be propagated
 *
 * returns: 0 in case of success, != 0 in case of error
 */
static int propagate_exception(struct dev_cgroup *devcg_root,
			       struct dev_exception_item *ex)
{
435
	struct cgroup_subsys_state *pos;
436 437
	int rc = 0;

438
	rcu_read_lock();
439

440 441
	css_for_each_descendant_pre(pos, &devcg_root->css) {
		struct dev_cgroup *devcg = css_to_devcgroup(pos);
442 443 444 445 446 447 448

		/*
		 * Because devcgroup_mutex is held, no devcg will become
		 * online or offline during the tree walk (see on/offline
		 * methods), and online ones are safe to access outside RCU
		 * read lock without bumping refcnt.
		 */
449
		if (pos == &devcg_root->css || !is_devcg_online(devcg))
450 451 452
			continue;

		rcu_read_unlock();
453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473

		/*
		 * in case both root's behavior and devcg is allow, a new
		 * restriction means adding to the exception list
		 */
		if (devcg_root->behavior == DEVCG_DEFAULT_ALLOW &&
		    devcg->behavior == DEVCG_DEFAULT_ALLOW) {
			rc = dev_exception_add(devcg, ex);
			if (rc)
				break;
		} else {
			/*
			 * in the other possible cases:
			 * root's behavior: allow, devcg's: deny
			 * root's behavior: deny, devcg's: deny
			 * the exception will be removed
			 */
			dev_exception_rm(devcg, ex);
		}
		revalidate_active_exceptions(devcg);

474
		rcu_read_lock();
475
	}
476 477

	rcu_read_unlock();
478 479 480 481 482 483 484 485 486 487
	return rc;
}

static inline bool has_children(struct dev_cgroup *devcgroup)
{
	struct cgroup *cgrp = devcgroup->css.cgroup;

	return !list_empty(&cgrp->children);
}

488
/*
489
 * Modify the exception list using allow/deny rules.
490 491
 * CAP_SYS_ADMIN is needed for this.  It's at least separate from CAP_MKNOD
 * so we can give a container CAP_MKNOD to let it create devices but not
492
 * modify the exception list.
493 494
 * It seems likely we'll want to add a CAP_CONTAINER capability to allow
 * us to also grant CAP_SYS_ADMIN to containers without giving away the
495
 * device exception list controls, but for now we'll stick with CAP_SYS_ADMIN
496 497 498 499 500
 *
 * Taking rules away is always allowed (given CAP_SYS_ADMIN).  Granting
 * new access is only allowed if you're in the top-level cgroup, or your
 * parent cgroup has the access you're asking for.
 */
501 502
static int devcgroup_update_access(struct dev_cgroup *devcgroup,
				   int filetype, const char *buffer)
503
{
504
	const char *b;
505
	char temp[12];		/* 11 + 1 characters needed for a u32 */
506
	int count, rc = 0;
507
	struct dev_exception_item ex;
Tejun Heo's avatar
Tejun Heo committed
508
	struct dev_cgroup *parent = css_to_devcgroup(css_parent(&devcgroup->css));
509 510 511 512

	if (!capable(CAP_SYS_ADMIN))
		return -EPERM;

513
	memset(&ex, 0, sizeof(ex));
514 515 516 517
	b = buffer;

	switch (*b) {
	case 'a':
518 519
		switch (filetype) {
		case DEVCG_ALLOW:
520 521 522
			if (has_children(devcgroup))
				return -EINVAL;

523
			if (!may_allow_all(parent))
524
				return -EPERM;
525
			dev_exception_clean(devcgroup);
526 527 528 529
			devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
			if (!parent)
				break;

530 531 532 533
			rc = dev_exceptions_copy(&devcgroup->exceptions,
						 &parent->exceptions);
			if (rc)
				return rc;
534 535
			break;
		case DEVCG_DENY:
536 537 538
			if (has_children(devcgroup))
				return -EINVAL;

539
			dev_exception_clean(devcgroup);
540
			devcgroup->behavior = DEVCG_DEFAULT_DENY;
541 542 543 544 545
			break;
		default:
			return -EINVAL;
		}
		return 0;
546
	case 'b':
547
		ex.type = DEV_BLOCK;
548 549
		break;
	case 'c':
550
		ex.type = DEV_CHAR;
551 552
		break;
	default:
553
		return -EINVAL;
554 555
	}
	b++;
556 557
	if (!isspace(*b))
		return -EINVAL;
558 559
	b++;
	if (*b == '*') {
560
		ex.major = ~0;
561 562
		b++;
	} else if (isdigit(*b)) {
563 564 565 566 567 568 569 570 571 572
		memset(temp, 0, sizeof(temp));
		for (count = 0; count < sizeof(temp) - 1; count++) {
			temp[count] = *b;
			b++;
			if (!isdigit(*b))
				break;
		}
		rc = kstrtou32(temp, 10, &ex.major);
		if (rc)
			return -EINVAL;
573
	} else {
574
		return -EINVAL;
575
	}
576 577
	if (*b != ':')
		return -EINVAL;
578 579 580 581
	b++;

	/* read minor */
	if (*b == '*') {
582
		ex.minor = ~0;
583 584
		b++;
	} else if (isdigit(*b)) {
585 586 587 588 589 590 591 592 593 594
		memset(temp, 0, sizeof(temp));
		for (count = 0; count < sizeof(temp) - 1; count++) {
			temp[count] = *b;
			b++;
			if (!isdigit(*b))
				break;
		}
		rc = kstrtou32(temp, 10, &ex.minor);
		if (rc)
			return -EINVAL;
595
	} else {
596
		return -EINVAL;
597
	}
598 599
	if (!isspace(*b))
		return -EINVAL;
600 601 602
	for (b++, count = 0; count < 3; count++, b++) {
		switch (*b) {
		case 'r':
603
			ex.access |= ACC_READ;
604 605
			break;
		case 'w':
606
			ex.access |= ACC_WRITE;
607 608
			break;
		case 'm':
609
			ex.access |= ACC_MKNOD;
610 611 612 613 614 615
			break;
		case '\n':
		case '\0':
			count = 3;
			break;
		default:
616
			return -EINVAL;
617 618 619 620 621
		}
	}

	switch (filetype) {
	case DEVCG_ALLOW:
622
		if (!parent_has_perm(devcgroup, &ex))
623
			return -EPERM;
624 625 626 627 628
		/*
		 * If the default policy is to allow by default, try to remove
		 * an matching exception instead. And be silent about it: we
		 * don't want to break compatibility
		 */
629
		if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) {
630
			dev_exception_rm(devcgroup, &ex);
631 632
			return 0;
		}
633 634
		rc = dev_exception_add(devcgroup, &ex);
		break;
635
	case DEVCG_DENY:
636 637 638 639 640
		/*
		 * If the default policy is to deny by default, try to remove
		 * an matching exception instead. And be silent about it: we
		 * don't want to break compatibility
		 */
641
		if (devcgroup->behavior == DEVCG_DEFAULT_DENY)
642
			dev_exception_rm(devcgroup, &ex);
643 644 645 646 647 648 649 650
		else
			rc = dev_exception_add(devcgroup, &ex);

		if (rc)
			break;
		/* we only propagate new restrictions */
		rc = propagate_exception(devcgroup, &ex);
		break;
651
	default:
652
		rc = -EINVAL;
653
	}
654
	return rc;
655
}
656

657 658
static int devcgroup_access_write(struct cgroup_subsys_state *css,
				  struct cftype *cft, const char *buffer)
659 660
{
	int retval;
661 662

	mutex_lock(&devcgroup_mutex);
663
	retval = devcgroup_update_access(css_to_devcgroup(css),
664
					 cft->private, buffer);
665
	mutex_unlock(&devcgroup_mutex);
666 667 668 669 670 671
	return retval;
}

static struct cftype dev_cgroup_files[] = {
	{
		.name = "allow",
672
		.write_string  = devcgroup_access_write,
673 674 675 676
		.private = DEVCG_ALLOW,
	},
	{
		.name = "deny",
677
		.write_string = devcgroup_access_write,
678 679
		.private = DEVCG_DENY,
	},
680 681 682 683 684
	{
		.name = "list",
		.read_seq_string = devcgroup_seq_read,
		.private = DEVCG_LIST,
	},
685
	{ }	/* terminate */
686 687 688 689
};

struct cgroup_subsys devices_subsys = {
	.name = "devices",
690 691
	.css_alloc = devcgroup_css_alloc,
	.css_free = devcgroup_css_free,
692 693
	.css_online = devcgroup_online,
	.css_offline = devcgroup_offline,
694
	.subsys_id = devices_subsys_id,
695
	.base_cftypes = dev_cgroup_files,
696 697
};

698 699 700 701 702 703 704 705 706 707
/**
 * __devcgroup_check_permission - checks if an inode operation is permitted
 * @dev_cgroup: the dev cgroup to be tested against
 * @type: device type
 * @major: device major number
 * @minor: device minor number
 * @access: combination of ACC_WRITE, ACC_READ and ACC_MKNOD
 *
 * returns 0 on success, -EPERM case the operation is not permitted
 */
708
static int __devcgroup_check_permission(short type, u32 major, u32 minor,
709
				        short access)
710
{
711
	struct dev_cgroup *dev_cgroup;
712
	struct dev_exception_item ex;
713
	int rc;
714

715 716 717 718 719
	memset(&ex, 0, sizeof(ex));
	ex.type = type;
	ex.major = major;
	ex.minor = minor;
	ex.access = access;
720

721
	rcu_read_lock();
722
	dev_cgroup = task_devcgroup(current);
723
	rc = may_access(dev_cgroup, &ex, dev_cgroup->behavior);
724
	rcu_read_unlock();
725

726 727
	if (!rc)
		return -EPERM;
728

729 730
	return 0;
}
731

732 733 734 735 736 737 738 739 740 741 742 743 744
int __devcgroup_inode_permission(struct inode *inode, int mask)
{
	short type, access = 0;

	if (S_ISBLK(inode->i_mode))
		type = DEV_BLOCK;
	if (S_ISCHR(inode->i_mode))
		type = DEV_CHAR;
	if (mask & MAY_WRITE)
		access |= ACC_WRITE;
	if (mask & MAY_READ)
		access |= ACC_READ;

745 746
	return __devcgroup_check_permission(type, imajor(inode), iminor(inode),
			access);
747 748 749 750
}

int devcgroup_inode_mknod(int mode, dev_t dev)
{
751
	short type;
752

753 754 755
	if (!S_ISBLK(mode) && !S_ISCHR(mode))
		return 0;

756 757 758 759
	if (S_ISBLK(mode))
		type = DEV_BLOCK;
	else
		type = DEV_CHAR;
760

761 762
	return __devcgroup_check_permission(type, MAJOR(dev), MINOR(dev),
			ACC_MKNOD);
763

764
}