[RFC,v2,08/14] device_cgroup: Hide devcgroup functionality completely in lsm

Commit Message

Michael Weiß Oct. 18, 2023, 10:50 a.m. UTC

Now since all users of devcgroup_check_permission() have been
removed, all device cgroup related functionality is covered by
security hooks. Thus, move the public device_cgroup.h header
into the subfolder of the lsm module.

Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
---
 security/device_cgroup/device_cgroup.c                    | 3 ++-
 {include/linux => security/device_cgroup}/device_cgroup.h | 0
 security/device_cgroup/lsm.c                              | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)
 rename {include/linux => security/device_cgroup}/device_cgroup.h (100%)

Patch

diff --git a/security/device_cgroup/device_cgroup.c b/security/device_cgroup/device_cgroup.c
index dc4df7475081..1a8190929ec3 100644
--- a/security/device_cgroup/device_cgroup.c
+++ b/security/device_cgroup/device_cgroup.c
@@ -6,7 +6,6 @@ 
  */
 
 #include <linux/bpf-cgroup.h>
-#include <linux/device_cgroup.h>
 #include <linux/cgroup.h>
 #include <linux/ctype.h>
 #include <linux/list.h>
@@ -16,6 +15,8 @@ 
 #include <linux/rcupdate.h>
 #include <linux/mutex.h>
 
+#include "device_cgroup.h"
+
 #ifdef CONFIG_CGROUP_DEVICE
 
 static DEFINE_MUTEX(devcgroup_mutex);
diff --git a/include/linux/device_cgroup.h b/security/device_cgroup/device_cgroup.h
similarity index 100%
rename from include/linux/device_cgroup.h
rename to security/device_cgroup/device_cgroup.h
diff --git a/security/device_cgroup/lsm.c b/security/device_cgroup/lsm.c
index 987d2c20a577..a963536d0a15 100644
--- a/security/device_cgroup/lsm.c
+++ b/security/device_cgroup/lsm.c
@@ -11,9 +11,10 @@ 
  */
 
 #include <linux/bpf-cgroup.h>
-#include <linux/device_cgroup.h>
 #include <linux/lsm_hooks.h>
 
+#include "device_cgroup.h"
+
 static int devcg_dev_permission(umode_t mode, dev_t dev, int mask)
 {
 	short type, access = 0;