[Devel] [PATCH RHEL7 COMMIT] ve/cgroup: Guard @features and @iptables with test if VE is inactive

Konstantin Khorenko khorenko at virtuozzo.com
Thu May 28 05:43:50 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.7
------>
commit dde71565735e0cc1039c63f8f819205662b1a1fb
Author: Cyrill Gorcunov <gorcunov at odin.com>
Date:   Thu May 28 16:43:50 2015 +0400

    ve/cgroup: Guard @features and @iptables with test if VE is inactive
    
    Currently we allow to setup new VE features and iptables mask even
    when container is already running which brings some vague meaning
    into container state -- from user point of view it's unclean if
    the @features or @iptables belong the running container or they
    were modified after and don't really apply to the running
    instance.
    
    Thus when user space tools modify these members make sure
    the container is offline.
    
    Reported-by: Kirill Tkhai <ktkhai at odin.com>
    Signed-off-by: Cyrill Gorcunov <gorcunov at odin.com>
    Acked-by: Kirill Tkhai <ktkhai at odin.com>
    
    CC: Vladimir Davydov <vdavydov at odin.com>
    CC: Konstantin Khorenko <khorenko at odin.com>
    CC: Pavel Emelyanov <xemul at odin.com>
    CC: Andrey Vagin <avagin at odin.com>
---
 kernel/ve/ve.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index fe34068..55b7d86 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1108,11 +1108,19 @@ static u64 ve_read_u64(struct cgroup *cg, struct cftype *cft)
 
 static int ve_write_u64(struct cgroup *cg, struct cftype *cft, u64 value)
 {
+	struct ve_struct *ve = cgroup_ve(cg);
+
 	if (!ve_is_super(get_exec_env()))
 		return -EPERM;
 
+	down_write(&ve->op_sem);
+	if (ve->is_running || ve->ve_ns) {
+		up_write(&ve->op_sem);
+		return -EBUSY;
+	}
+
 	if (cft->private == VE_CF_FEATURES)
-		cgroup_ve(cg)->features = value;
+		ve->features = value;
 	else if (cft->private == VE_CF_IPTABLES_MASK) {
 		value &= ~VE_IP_IPTABLES6;
 		value &= ~VE_IP_FILTER6;
@@ -1131,9 +1139,10 @@ static int ve_write_u64(struct cgroup *cg, struct cftype *cft, u64 value)
 		if (mask_ipt_allow(value, VE_IP_CONNTRACK))
 			value |= VE_NF_CONNTRACK;
 
-		cgroup_ve(cg)->ipt_mask = value;
+		ve->ipt_mask = value;
 	}
 
+	up_write(&ve->op_sem);
 	return 0;
 }

More information about the Devel mailing list