Commit 4b7d4d45 authored by Harish Kasiviswanathan's avatar Harish Kasiviswanathan Committed by Alex Deucher
Browse files

device_cgroup: Export devcgroup_check_permission 



For AMD compute (amdkfd) driver.

All AMD compute devices are exported via single device node /dev/kfd. As
a result devices cannot be controlled individually using device cgroup.

AMD compute devices will rely on its graphics counterpart that exposes
/dev/dri/renderN node for each device. For each task (based on its
cgroup), KFD driver will check if /dev/dri/renderN node is accessible
before exposing it.

Signed-off-by: default avatarHarish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Acked-by: default avatarTejun Heo <tj@kernel.org>
Acked-by: default avatarFelix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: default avatarRoman Gushchin <guro@fb.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
parent a3e520a2

include/linux/device_cgroup.h

+4 −15
Original line number Diff line number Diff line
@@ -12,26 +12,15 @@ 
#define DEVCG_DEV_ALL   4  /* this represents all devices */



#ifdef CONFIG_CGROUP_DEVICE

extern int __devcgroup_check_permission(short type, u32 major, u32 minor,

int devcgroup_check_permission(short type, u32 major, u32 minor,

			       short access);

#else

static inline int __devcgroup_check_permission(short type, u32 major, u32 minor,

static inline int devcgroup_check_permission(short type, u32 major, u32 minor,

					     short access)

{ return 0; }

#endif



#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)

static inline int devcgroup_check_permission(short type, u32 major, u32 minor,

					     short access)

{

	int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);



	if (rc)

		return -EPERM;



	return __devcgroup_check_permission(type, major, minor, access);

}



static inline int devcgroup_inode_permission(struct inode *inode, int mask)

{

	short type, access = 0;

security/device_cgroup.c

+13 −2
Original line number Diff line number Diff line
@@ -801,7 +801,7 @@ struct cgroup_subsys devices_cgrp_subsys = { 
 *

 * returns 0 on success, -EPERM case the operation is not permitted

 */

int __devcgroup_check_permission(short type, u32 major, u32 minor,

static int __devcgroup_check_permission(short type, u32 major, u32 minor,

					short access)

{

	struct dev_cgroup *dev_cgroup;
@@ -824,3 +824,14 @@ int __devcgroup_check_permission(short type, u32 major, u32 minor, 


	return 0;

}



int devcgroup_check_permission(short type, u32 major, u32 minor, short access)

{

	int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);



	if (rc)

		return -EPERM;



	return __devcgroup_check_permission(type, major, minor, access);

}

EXPORT_SYMBOL(devcgroup_check_permission);

CRA Git | Maintained and supported by SUSTech CRA and CCSE