Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 73ba3534 authored by Serge Hallyn's avatar Serge Hallyn Committed by Tejun Heo
Browse files

device_cgroup: remove can_attach 



It is really only wanting to duplicate a check which is already done by the
cgroup subsystem.

With this patch, user jdoe still cannot move pid 1 into a devices cgroup
he owns, but now he can move his own other tasks into devices cgroups.

Signed-off-by: default avatarSerge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: default avatarTejun Heo <tj@kernel.org>
Cc: Aristeu Rozanski <aris@redhat.com>
parent 2ff2a7d0

security/device_cgroup.c

+0 −11
Original line number Diff line number Diff line
@@ -63,16 +63,6 @@ static inline struct dev_cgroup *task_devcgroup(struct task_struct *task) 


struct cgroup_subsys devices_subsys;



static int devcgroup_can_attach(struct cgroup_subsys_state *new_css,

				struct cgroup_taskset *set)

{

	struct task_struct *task = cgroup_taskset_first(set);



	if (current != task && !capable(CAP_SYS_ADMIN))

		return -EPERM;

	return 0;

}



/*

 * called under devcgroup_mutex

 */
@@ -697,7 +687,6 @@ static struct cftype dev_cgroup_files[] = { 


struct cgroup_subsys devices_subsys = {

	.name = "devices",

	.can_attach = devcgroup_can_attach,

	.css_alloc = devcgroup_css_alloc,

	.css_free = devcgroup_css_free,

	.css_online = devcgroup_online,