device_cgroup: Cleanup cgroup eBPF device filter code

/* Check with device cgroup if @kfd device is accessible */

static inline int kfd_devcgroup_check_permission(struct kfd_dev *kfd)

{

#if defined(CONFIG_CGROUP_DEVICE)

#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)

	struct drm_device *ddev = kfd->ddev;

	return devcgroup_check_permission(DEVCG_DEV_CHAR, ddev->driver->major,

/* SPDX-License-Identifier: GPL-2.0 */

#include <linux/fs.h>

#include <linux/bpf-cgroup.h>

#define DEVCG_ACC_MKNOD 1

#define DEVCG_ACC_READ  2

#define DEVCG_DEV_CHAR  2

#define DEVCG_DEV_ALL   4  /* this represents all devices */

#ifdef CONFIG_CGROUP_DEVICE

int devcgroup_check_permission(short type, u32 major, u32 minor,

			       short access);

#else

static inline int devcgroup_check_permission(short type, u32 major, u32 minor,

					     short access)

{ return 0; }

#endif

#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)

int devcgroup_check_permission(short type, u32 major, u32 minor,

			       short access);

static inline int devcgroup_inode_permission(struct inode *inode, int mask)

{

	short type, access = 0;

}

#else

static inline int devcgroup_check_permission(short type, u32 major, u32 minor,

			       short access)

{ return 0; }

static inline int devcgroup_inode_permission(struct inode *inode, int mask)

{ return 0; }

static inline int devcgroup_inode_mknod(int mode, dev_t dev)

obj-$(CONFIG_SECURITY_LOADPIN)		+= loadpin/

obj-$(CONFIG_SECURITY_SAFESETID)       += safesetid/

obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/

obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o

obj-$(CONFIG_CGROUPS)			+= device_cgroup.o

obj-$(CONFIG_BPF_LSM)			+= bpf/

# Object integrity file lists

#include <linux/rcupdate.h>

#include <linux/mutex.h>

#ifdef CONFIG_CGROUP_DEVICE

static DEFINE_MUTEX(devcgroup_mutex);

enum devcg_behavior {

};

/**

 * __devcgroup_check_permission - checks if an inode operation is permitted

 * devcgroup_legacy_check_permission - checks if an inode operation is permitted

 * @dev_cgroup: the dev cgroup to be tested against

 * @type: device type

 * @major: device major number

 *

 * returns 0 on success, -EPERM case the operation is not permitted

 */

static int __devcgroup_check_permission(short type, u32 major, u32 minor,

static int devcgroup_legacy_check_permission(short type, u32 major, u32 minor,

					short access)

{

	struct dev_cgroup *dev_cgroup;

	return 0;

}

#endif /* CONFIG_CGROUP_DEVICE */

#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)

int devcgroup_check_permission(short type, u32 major, u32 minor, short access)

{

	int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);

	if (rc)

		return -EPERM;

	return __devcgroup_check_permission(type, major, minor, access);

	#ifdef CONFIG_CGROUP_DEVICE

	return devcgroup_legacy_check_permission(type, major, minor, access);

	#else /* CONFIG_CGROUP_DEVICE */

	return 0;

	#endif /* CONFIG_CGROUP_DEVICE */

}

EXPORT_SYMBOL(devcgroup_check_permission);

#endif /* defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) */