summaryrefslogtreecommitdiff
path: root/security/Makefile
diff options
context:
space:
mode:
authorOdin Ugedal <odin@ugedal.com>2020-04-03 19:55:28 +0200
committerTejun Heo <tj@kernel.org>2020-04-13 14:41:54 -0400
commiteec8fd0277e37cf447b88c6be181e81df867bcf1 (patch)
tree0110a5197275738dfd1d82cabecf277b521eac26 /security/Makefile
parent772b3140669246e1ab32392c490d338e2eb7b803 (diff)
device_cgroup: Cleanup cgroup eBPF device filter code
Original cgroup v2 eBPF code for filtering device access made it possible to compile with CONFIG_CGROUP_DEVICE=n and still use the eBPF filtering. Change commit 4b7d4d453fc4 ("device_cgroup: Export devcgroup_check_permission") reverted this, making it required to set it to y. Since the device filtering (and all the docs) for cgroup v2 is no longer a "device controller" like it was in v1, someone might compile their kernel with CONFIG_CGROUP_DEVICE=n. Then (for linux 5.5+) the eBPF filter will not be invoked, and all processes will be allowed access to all devices, no matter what the eBPF filter says. Signed-off-by: Odin Ugedal <odin@ugedal.com> Acked-by: Roman Gushchin <guro@fb.com> Signed-off-by: Tejun Heo <tj@kernel.org>
Diffstat (limited to 'security/Makefile')
-rw-r--r--security/Makefile2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/Makefile b/security/Makefile
index 22e73a3482bd..3baf435de541 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -30,7 +30,7 @@ obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
-obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
+obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
# Object integrity file lists