• Odin Ugedal's avatar
    device_cgroup: Cleanup cgroup eBPF device filter code · eec8fd02
    Odin Ugedal authored
    Original cgroup v2 eBPF code for filtering device access made it
    possible to compile with CONFIG_CGROUP_DEVICE=n and still use the eBPF
    filtering. Change
    commit 4b7d4d45 ("device_cgroup: Export devcgroup_check_permission")
    reverted this, making it required to set it to y.
    
    Since the device filtering (and all the docs) for cgroup v2 is no longer
    a "device controller" like it was in v1, someone might compile their
    kernel with CONFIG_CGROUP_DEVICE=n. Then (for linux 5.5+) the eBPF
    filter will not be invoked, and all processes will be allowed access
    to all devices, no matter what the eBPF filter says.
    Signed-off-by: default avatarOdin Ugedal <odin@ugedal.com>
    Acked-by: default avatarRoman Gushchin <guro@fb.com>
    Signed-off-by: default avatarTejun Heo <tj@kernel.org>
    eec8fd02
device_cgroup.c 21.1 KB