[Devel] [PATCH RHEL7 COMMIT] cgroup: mount -- Disable mounting from inside of VE context

Konstantin Khorenko khorenko at virtuozzo.com
Fri May 29 05:50:49 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.7
------>
commit bd28914a36ef98c893dbeb269a0bd4859151936e
Author: Cyrill Gorcunov <gorcunov at odin.com>
Date:   Fri May 29 16:50:49 2015 +0400

    cgroup: mount -- Disable mounting from inside of VE context
    
    Even mounting knowing cgroups (ie ones which already known to VE and
    been mounted by vzctl or any other tool for containter sake) is not
    that harmless as it might look like. In particular this introduce
    additional performance hit. So because we are using bindmount
    strategy to grant cgorups to VE we don't need to mount it from
    inside of VE anymore and can simply disable.
    
    khorenko@:
    This patch reverts commit 8d96fa6e147c
    ("ve/cgroup: Allow mounting existing cgroups inside container").
    Previously we enabled possiblity to mount cgroups from inside a CT
    because CRIU required it on restore.
    Now we have tought libvzctl to prepare cgroups before CRIU restore,
    so we are safe to disable this back.
    
    Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
    Reviewed-by: Vladimir Davydov <vdavydov at parallels.com>
    
    CC: Konstantin Khorenko <khorenko at virtuozzo.com>
    CC: Pavel Emelyanov <xemul at virtuozzo.com>
    CC: Andrey Vagin <avagin at virtuozzo.com>
---
 kernel/cgroup.c | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 47013a0..2e40430 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1572,6 +1572,11 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
 	struct cgroupfs_root *new_root;
 	struct inode *inode;
 
+#ifdef CONFIG_VE
+	if (!ve_is_super(get_exec_env()) && !(flags & MS_KERNMOUNT))
+		return ERR_PTR(-EACCES);
+#endif
+
 	/* First find the desired set of subsystems */
 	if (!(flags & MS_KERNMOUNT)) {
 		mutex_lock(&cgroup_mutex);
@@ -1615,19 +1620,6 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
 		int i;
 		struct css_set *cg;
 
-#ifdef CONFIG_VE
-		/*
-		 * We don't allow to mount new roots from inside
-		 * of container (but have to allow mounting existing
-		 * cgroups, because the VE restore procedure is
-		 * implemented from inside of container environment).
-		 */
-		if (!ve_is_super(get_exec_env())) {
-			ret = -EACCES;
-			goto drop_new_super;
-		}
-#endif
-
 		BUG_ON(sb->s_root != NULL);
 
 		ret = cgroup_get_rootdir(sb);

More information about the Devel mailing list