diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 4b877a92a7ea..e3ce02a00ffc 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -42,6 +42,7 @@ struct dev_whitelist_item { struct dev_cgroup { struct cgroup_subsys_state css; struct list_head whitelist; + bool deny_all; }; static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) @@ -178,12 +179,14 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup *cgroup) wh->minor = wh->major = ~0; wh->type = DEV_ALL; wh->access = ACC_MASK; + dev_cgroup->deny_all = false; list_add(&wh->list, &dev_cgroup->whitelist); } else { parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); mutex_lock(&devcgroup_mutex); ret = dev_whitelist_copy(&dev_cgroup->whitelist, &parent_dev_cgroup->whitelist); + dev_cgroup->deny_all = parent_dev_cgroup->deny_all; mutex_unlock(&devcgroup_mutex); if (ret) { kfree(dev_cgroup); @@ -409,9 +412,11 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, case DEVCG_ALLOW: if (!parent_has_perm(devcgroup, &wh)) return -EPERM; + devcgroup->deny_all = false; return dev_whitelist_add(devcgroup, &wh); case DEVCG_DENY: dev_whitelist_rm(devcgroup, &wh); + devcgroup->deny_all = true; break; default: return -EINVAL;