[Devel] [PATCH 1/3] cred: add ve_capable to check capabilities relative to the current VE

Vladimir Davydov vdavydov at parallels.com
Fri Aug 28 06:27:41 PDT 2015


On Fri, Aug 28, 2015 at 05:20:01PM +0400, Andrew Vagin wrote:

> +bool ve_capable(int cap)
> +{
> +	return ns_capable(get_exec_env()->init_cred->user_ns, cap);
> +}

init_cred is set in ve_grab_context, which means that if a task
occasionally uses ve_capable() before writing START to ve.state, the
kernel will panic. Please add a sanity check, which will make
ve_capable() fall back on capable() if init_cred is not available.



More information about the Devel mailing list