blkdev: cgroup whitelist permission fix

The cgroup device whitelist code gets confused when trying to grant
permission to a disk partition that is not currently open.  Part of
blkdev_open() includes __blkdev_get() on the whole disk.

Basically, the only ways to reliably allow a cgroup access to a partition
on a block device when using the whitelist are to 1) also give it access
to the whole block device or 2) make sure the partition is already open in
a different context.

The patch avoids the cgroup check for the whole disk case when opening a
partition.

Addresses https://bugzilla.redhat.com/show_bug.cgi?id=589662

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Serge E. Hallyn <serue@us.ibm.com>
Tested-by: Serge E. Hallyn <serue@us.ibm.com>
Reported-by: Vivek Goyal <vgoyal@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: "Daniel P. Berrange" <berrange@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/block_dev.c b/fs/block_dev.c
index 66411463b734ce4ae90c9cab498d1dfa3e2a107f..50e8c8582faa06a38bae5beb66c4f3ec8af929f3 100644 (file)
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1340,10 +1340,12 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
        /*
         * hooks: /n/, see "layering violations".
         */
-       ret = devcgroup_inode_permission(bdev->bd_inode, perm);
-       if (ret != 0) {
-               bdput(bdev);
-               return ret;
+       if (!for_part) {
+               ret = devcgroup_inode_permission(bdev->bd_inode, perm);
+               if (ret != 0) {
+                       bdput(bdev);
+                       return ret;
+               }
        }
 
  restart: