diff options
| author | Dmitry Torokhov <dtor@chromium.org> | 2016-10-06 15:53:38 -0700 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-09-30 15:36:12 +0200 |
| commit | b27b15551563f102db2d56cb4f716a1fae260e69 (patch) | |
| tree | d86919b2f12d84b8e860c8d58e1933ae03fa91cb /kernel/cgroup.c | |
| parent | 7694623a1eb0af6225cf3c9f8f4d1cdc27c668fc (diff) | |
CHROMIUM: remove Android's cgroup generic permissions checks
The implementation is utterly broken, resulting in all processes being
allows to move tasks between sets (as long as they have access to the
"tasks" attribute), and upstream is heading towards checking only
capability anyway, so let's get rid of this code.
BUG=b:31790445,chromium:647994
TEST=Boot android container, examine logcat
Change-Id: I2f780a5992c34e52a8f2d0b3557fc9d490da2779
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/394967
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: John Stultz <john.stultz@linaro.org>
(cherry picked from commit 6895149f8bf0719aa70487e285fa6a8ad3d2692d)
Reviewed-on: https://chromium-review.googlesource.com/399858
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Mister Oyster <oysterized@gmail.com>
Diffstat (limited to 'kernel/cgroup.c')
| -rw-r--r-- | kernel/cgroup.c | 52 |
1 files changed, 3 insertions, 49 deletions
diff --git a/kernel/cgroup.c b/kernel/cgroup.c index adc8f34a5..b14a9a1fa 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -2152,43 +2152,6 @@ out_free_group_list: return retval; } -static int cgroup_allow_attach(struct cgroup *cgrp, struct cgroup_taskset *tset) -{ - struct cgroup_subsys *ss; - int ret; - - for_each_subsys(cgrp->root, ss) { - if (ss->allow_attach) { - ret = ss->allow_attach(cgrp, tset); - if (ret) - return ret; - } else { - return -EACCES; - } - } - - return 0; -} - -int subsys_cgroup_allow_attach(struct cgroup *cgrp, struct cgroup_taskset *tset) -{ - const struct cred *cred = current_cred(), *tcred; - struct task_struct *task; - - if (capable(CAP_SYS_NICE)) - return 0; - - cgroup_taskset_for_each(task, cgrp, tset) { - tcred = __task_cred(task); - - if (current != task && cred->euid != tcred->uid && - cred->euid != tcred->suid) - return -EACCES; - } - - return 0; -} - /* * Find the task_struct of the task to attach by vpid and pass it along to the * function to attach either it or all tasks in its threadgroup. Will lock @@ -2220,18 +2183,9 @@ retry_find_task: if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) && !uid_eq(cred->euid, tcred->uid) && !uid_eq(cred->euid, tcred->suid)) { - /* - * if the default permission check fails, give each - * cgroup a chance to extend the permission check - */ - struct cgroup_taskset tset = { }; - tset.single.task = tsk; - tset.single.cgrp = cgrp; - ret = cgroup_allow_attach(cgrp, &tset); - if (ret) { - rcu_read_unlock(); - goto out_unlock_cgroup; - } + rcu_read_unlock(); + ret = -EACCES; + goto out_unlock_cgroup; } } else tsk = current; |