[Devel] [PATCH RHEL7 COMMIT] ve/userns: allow unprivileged creation of the mount namespace.

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jan 11 05:46:44 PST 2016


The commit is pushed to "branch-rh7-3.10.0-327.3.1-vz7.10.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.3.1.el7
------>
commit 2bf35f0914403ef0666c4a40540ab4f58bb02adf
Author: Andrey Ryabinin <aryabinin at virtuozzo.com>
Date:   Mon Jan 11 17:46:44 2016 +0400

    ve/userns: allow unprivileged creation of the mount namespace.
    
    RHEL 7.2 forbade unprivileged creation of the mount namespaces:
       "Until all of the bugs have been fixed and backported don't try and
        support unprivileged creation of the mount namespaces."
    
    First of all this was done wrong - error path lacks put_mnt_ns().
    Second - we need unprivileged creation of the mount namespace for docker
    inside container, so this patch restores this ability.
    
    https://bugs.openvz.org/browse/OVZ-6646
    https://jira.sw.ru/browse/PSBM-42760
    
    Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
 fs/namespace.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index f94cd99..c66fa10 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2652,10 +2652,6 @@ struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
 	if (!(flags & CLONE_NEWNS))
 		return ns;
 
-	/* Unprivileged creation currently disabled in RHEL7  */
-	if (!capable(CAP_SYS_ADMIN))
-		return ERR_PTR(-EPERM);
-
 	new_ns = dup_mnt_ns(ns, user_ns, new_fs);
 
 	put_mnt_ns(ns);


More information about the Devel mailing list