diff options
| -rw-r--r-- | Documentation/cgroups/cgroups.txt | 9 | ||||
| -rw-r--r-- | include/linux/cgroup.h | 17 | ||||
| -rw-r--r-- | kernel/cgroup.c | 52 | ||||
| -rw-r--r-- | kernel/sched/core.c | 1 | ||||
| -rw-r--r-- | mm/memcontrol.c | 12 |
5 files changed, 3 insertions, 88 deletions
diff --git a/Documentation/cgroups/cgroups.txt b/Documentation/cgroups/cgroups.txt index 61dc0ec5c..638bf17ff 100644 --- a/Documentation/cgroups/cgroups.txt +++ b/Documentation/cgroups/cgroups.txt @@ -598,15 +598,6 @@ is completely unused; @cgrp->parent is still valid. (Note - can also be called for a newly-created cgroup if an error occurs after this subsystem's create() method has been called for the new cgroup). -int allow_attach(struct cgroup *cgrp, struct cgroup_taskset *tset) -(cgroup_mutex held by caller) - -Called prior to moving a task into a cgroup; if the subsystem -returns an error, this will abort the attach operation. Used -to extend the permission checks - if all subsystems in a cgroup -return 0, the attach will be allowed to proceed, even if the -default permission check (root or same user) fails. - int can_attach(struct cgroup *cgrp, struct cgroup_taskset *tset) (cgroup_mutex held by caller) diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h index 46f1bcdc1..bbd9b756c 100644 --- a/include/linux/cgroup.h +++ b/include/linux/cgroup.h @@ -589,7 +589,6 @@ struct cgroup_subsys { void (*css_offline)(struct cgroup *cgrp); void (*css_free)(struct cgroup *cgrp); - int (*allow_attach)(struct cgroup *cgrp, struct cgroup_taskset *tset); int (*can_attach)(struct cgroup *cgrp, struct cgroup_taskset *tset); void (*cancel_attach)(struct cgroup *cgrp, struct cgroup_taskset *tset); void (*attach)(struct cgroup *cgrp, struct cgroup_taskset *tset); @@ -882,17 +881,6 @@ unsigned short css_id(struct cgroup_subsys_state *css); unsigned short css_depth(struct cgroup_subsys_state *css); struct cgroup_subsys_state *cgroup_css_from_dir(struct file *f, int id); -/* - * Default Android check for whether the current process is allowed to move a - * task across cgroups, either because CAP_SYS_NICE is set or because the uid - * of the calling process is the same as the moved task or because we are - * running as root. - * Returns 0 if this is allowed, or -EACCES otherwise. - */ -int subsys_cgroup_allow_attach(struct cgroup *cgrp, - struct cgroup_taskset *tset); - - #else /* !CONFIG_CGROUPS */ static inline int cgroup_init_early(void) { return 0; } @@ -916,11 +904,6 @@ static inline int cgroup_attach_task_all(struct task_struct *from, return 0; } -static inline int subsys_cgroup_allow_attach(struct cgroup *cgrp, - struct cgroup_taskset *tset) -{ - return 0; -} #endif /* !CONFIG_CGROUPS */ #endif /* _LINUX_CGROUP_H */ diff --git a/kernel/cgroup.c b/kernel/cgroup.c index adc8f34a5..b14a9a1fa 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -2152,43 +2152,6 @@ out_free_group_list: return retval; } -static int cgroup_allow_attach(struct cgroup *cgrp, struct cgroup_taskset *tset) -{ - struct cgroup_subsys *ss; - int ret; - - for_each_subsys(cgrp->root, ss) { - if (ss->allow_attach) { - ret = ss->allow_attach(cgrp, tset); - if (ret) - return ret; - } else { - return -EACCES; - } - } - - return 0; -} - -int subsys_cgroup_allow_attach(struct cgroup *cgrp, struct cgroup_taskset *tset) -{ - const struct cred *cred = current_cred(), *tcred; - struct task_struct *task; - - if (capable(CAP_SYS_NICE)) - return 0; - - cgroup_taskset_for_each(task, cgrp, tset) { - tcred = __task_cred(task); - - if (current != task && cred->euid != tcred->uid && - cred->euid != tcred->suid) - return -EACCES; - } - - return 0; -} - /* * Find the task_struct of the task to attach by vpid and pass it along to the * function to attach either it or all tasks in its threadgroup. Will lock @@ -2220,18 +2183,9 @@ retry_find_task: if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) && !uid_eq(cred->euid, tcred->uid) && !uid_eq(cred->euid, tcred->suid)) { - /* - * if the default permission check fails, give each - * cgroup a chance to extend the permission check - */ - struct cgroup_taskset tset = { }; - tset.single.task = tsk; - tset.single.cgrp = cgrp; - ret = cgroup_allow_attach(cgrp, &tset); - if (ret) { - rcu_read_unlock(); - goto out_unlock_cgroup; - } + rcu_read_unlock(); + ret = -EACCES; + goto out_unlock_cgroup; } } else tsk = current; diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 0fa11db49..77a197f65 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -8721,7 +8721,6 @@ struct cgroup_subsys cpu_cgroup_subsys = { .css_offline = cpu_cgroup_css_offline, .can_attach = cpu_cgroup_can_attach, .attach = cpu_cgroup_attach, - .allow_attach = subsys_cgroup_allow_attach, .exit = cpu_cgroup_exit, .subsys_id = cpu_cgroup_subsys_id, .base_cftypes = cpu_files, diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 0310efc94..36300fda5 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -6811,12 +6811,6 @@ static int mem_cgroup_can_attach(struct cgroup *cgroup, return ret; } -static int mem_cgroup_allow_attach(struct cgroup *cgroup, - struct cgroup_taskset *tset) -{ - return subsys_cgroup_allow_attach(cgroup, tset); -} - static void mem_cgroup_cancel_attach(struct cgroup *cgroup, struct cgroup_taskset *tset) { @@ -6985,11 +6979,6 @@ static int mem_cgroup_can_attach(struct cgroup *cgroup, { return 0; } -static int mem_cgroup_allow_attach(struct cgroup *cgroup, - struct cgroup_taskset *tset) -{ - return 0; -} static void mem_cgroup_cancel_attach(struct cgroup *cgroup, struct cgroup_taskset *tset) { @@ -7025,7 +7014,6 @@ struct cgroup_subsys mem_cgroup_subsys = { .can_attach = mem_cgroup_can_attach, .cancel_attach = mem_cgroup_cancel_attach, .attach = mem_cgroup_move_task, - .allow_attach = mem_cgroup_allow_attach, .bind = mem_cgroup_bind, .base_cftypes = mem_cgroup_files, .disabled = 1, /* Disable it for performance workaround */ |