[Devel] [PATCH RHEL7 COMMIT] ve/vfs: allow mount/umount, pivot_root with CAP_VE_SYS_ADMIN

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jul 6 06:27:37 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.24
------>
commit b84f628152b50a89e8e1023bb78963fadfdc7026
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Mon Jul 6 17:27:37 2015 +0400

    ve/vfs: allow mount/umount, pivot_root with CAP_VE_SYS_ADMIN
    
    Patchset description:
    
    capability fixes for docker
    
    allow what docker wants, need it to run integration-cli tests
    when we will prohibit CAP_SYS_ADMIN and CAP_NET_ADMIN in CT
    
    * after switching to user namespaces we won't need those patches
      which is planned in the scope of
      https://jira.sw.ru/browse/PSBM-33304
    
    to test without CAP_SYS_ADMIN and CAP_NET_ADMIN:
    vzctl set 206 --capability net_admin:off \
    	--capability sys_admin:off --save
    
    Pavel Tikhomirov (3):
      vfs: allow mount/umount, pivot_root with CAP_VE_SYS_ADMIN
      rtnl: allow move network devices into network namespace in CT
      vfs: allow mount proc and mqueue inside container
    
    ################################################################
    This patch description:
    
    need this for docker as docker tries to mount:
    mount("","/","", MS_PRIVATE | MS_REC, "")
    and as we will not allow CAP_SYS_ADMIN in container.
    
    * after switching to user namespaces we won't need this patch
    https://jira.sw.ru/browse/PSBM-34523
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 fs/namespace.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index b9dfd0c..a73464f 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1306,7 +1306,9 @@ static int do_umount(struct mount *mnt, int flags)
  */
 static inline bool may_mount(void)
 {
-	return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN) || nsown_capable(CAP_SYS_ADMIN);
+	return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN) ||
+	                  nsown_capable(CAP_SYS_ADMIN) ||
+	                  nsown_capable(CAP_VE_SYS_ADMIN);
 }
 
 /*

More information about the Devel mailing list