[Devel] [PATCH rh7] cgroup: ve -- Guard @features and @iptables with test if VE is inactive

[Cyrill Gorcunov]

Currently we allow to setup new VE features and iptables mask even
when container is already running which brings some vague meaning
into container state -- from user point of view it's unclean if
the @features or @iptables belong the running container or they
were modified after and don't really apply to the running
instance.

Thus when user space tools modify these members make sure
the container is offline.

Reported-by: Kirill Tkhai <ktkhai at odin.com>
Signed-off-by: Cyrill Gorcunov <gorcunov at odin.com>
CC: Vladimir Davydov <vdavydov at odin.com>
CC: Konstantin Khorenko <khorenko at odin.com>
CC: Pavel Emelyanov <xemul at odin.com>
CC: Andrey Vagin <avagin at odin.com>
---
 kernel/ve/ve.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

Index: linux-pcs7.git/kernel/ve/ve.c
===================================================================
--- linux-pcs7.git.orig/kernel/ve/ve.c
+++ linux-pcs7.git/kernel/ve/ve.c
@@ -1108,11 +1108,19 @@ static u64 ve_read_u64(struct cgroup *cg
 
 static int ve_write_u64(struct cgroup *cg, struct cftype *cft, u64 value)
 {
+	struct ve_struct *ve = cgroup_ve(cg);
+
 	if (!ve_is_super(get_exec_env()))
 		return -EPERM;
 
+	down_write(&ve->op_sem);
+	if (ve->is_running || ve->ve_ns) {
+		up_write(&ve->op_sem);
+		return -EBUSY;
+	}
+
 	if (cft->private == VE_CF_FEATURES)
-		cgroup_ve(cg)->features = value;
+		ve->features = value;
 	else if (cft->private == VE_CF_IPTABLES_MASK) {
 		value &= ~VE_IP_IPTABLES6;
 		value &= ~VE_IP_FILTER6;
@@ -1131,9 +1139,10 @@ static int ve_write_u64(struct cgroup *c
 		if (mask_ipt_allow(value, VE_IP_CONNTRACK))
 			value |= VE_NF_CONNTRACK;
 
-		cgroup_ve(cg)->ipt_mask = value;
+		ve->ipt_mask = value;
 	}
 
+	up_write(&ve->op_sem);
 	return 0;
 }