diff options
| author |   Odin Ugedal <odin@ugedal.com> | 2020-04-03 19:55:28 +0200 |
|---|---|---|
| committer |   Tejun Heo <tj@kernel.org> | 2020-04-13 14:41:54 -0400 |
| commit | eec8fd0277e37cf447b88c6be181e81df867bcf1 (patch) | |
| tree | 0110a5197275738dfd1d82cabecf277b521eac26 /security/Makefile | |
| parent | xattr: fix uninitialized out-param (diff) | |
| download | wireguard-linux-eec8fd0277e37cf447b88c6be181e81df867bcf1.tar.xz wireguard-linux-eec8fd0277e37cf447b88c6be181e81df867bcf1.zip | |
device_cgroup: Cleanup cgroup eBPF device filter code
Original cgroup v2 eBPF code for filtering device access made it
possible to compile with CONFIG_CGROUP_DEVICE=n and still use the eBPF
filtering. Change
commit 4b7d4d453fc4 ("device_cgroup: Export devcgroup_check_permission")
reverted this, making it required to set it to y.
Since the device filtering (and all the docs) for cgroup v2 is no longer
a "device controller" like it was in v1, someone might compile their
kernel with CONFIG_CGROUP_DEVICE=n. Then (for linux 5.5+) the eBPF
filter will not be invoked, and all processes will be allowed access
to all devices, no matter what the eBPF filter says.
Signed-off-by: Odin Ugedal <odin@ugedal.com>
Acked-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Diffstat (limited to 'security/Makefile')
| -rw-r--r-- | security/Makefile | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/Makefile b/security/Makefile index 22e73a3482bd..3baf435de541 100644 --- a/security/Makefile +++ b/security/Makefile @@ -30,7 +30,7 @@ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ -obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o +obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ # Object integrity file lists |