[Devel] [patch rh7 1/2] cgroup: mount -- Disable mounting from inside of VE context

[Cyrill Gorcunov]

Even mounting knowing cgroups (ie ones which already known to VE and
been mounted by vzctl or any other tool for containter sake) is not
that harmless as it might look like. In particular this introduce
additional performance hit. So because we are using bindmount
strategy to grant cgorups to VE we don't need to mount it from
inside of VE anymore and can simply disable.

Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>
CC: Pavel Emelyanov <xemul at virtuozzo.com>
CC: Andrey Vagin <avagin at virtuozzo.com>
---
 kernel/cgroup.c |   18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

Index: linux-pcs7.git/kernel/cgroup.c
===================================================================
--- linux-pcs7.git.orig/kernel/cgroup.c
+++ linux-pcs7.git/kernel/cgroup.c
@@ -1572,6 +1572,11 @@ static struct dentry *cgroup_mount(struc
 	struct cgroupfs_root *new_root;
 	struct inode *inode;
 
+#ifdef CONFIG_VE
+	if (!ve_is_super(get_exec_env()) && !(flags & MS_KERNMOUNT))
+		return ERR_PTR(-EACCES);
+#endif
+
 	/* First find the desired set of subsystems */
 	if (!(flags & MS_KERNMOUNT)) {
 		mutex_lock(&cgroup_mutex);
@@ -1615,19 +1620,6 @@ static struct dentry *cgroup_mount(struc
 		int i;
 		struct css_set *cg;
 
-#ifdef CONFIG_VE
-		/*
-		 * We don't allow to mount new roots from inside
-		 * of container (but have to allow mounting existing
-		 * cgroups, because the VE restore procedure is
-		 * implemented from inside of container environment).
-		 */
-		if (!ve_is_super(get_exec_env())) {
-			ret = -EACCES;
-			goto drop_new_super;
-		}
-#endif
-
 		BUG_ON(sb->s_root != NULL);
 
 		ret = cgroup_get_rootdir(sb);