[Devel] [PATCH RHEL7 COMMIT] ve/security: device_cgroup -- Allow manage devices in @pseudosuper state
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Jun 17 02:06:56 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.18.2.vz7.14.15
------>
commit 6504a698d0cb68644ad61f139e528c7fb605a246
Author: Cyrill Gorcunov <gorcunov at virtuozzo.com>
Date: Fri Jun 17 13:06:56 2016 +0400
ve/security: device_cgroup -- Allow manage devices in @pseudosuper state
When restoring containers with several disks it's more convenient
to mount device first and the setup permissions needed. So for this
sake we allow to escape device permissions testing inside VE only
if @pseudosuper state enabled.
https://jira.sw.ru/browse/PSBM-48421
CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>
CC: Andrey Vagin <avagin at openvz.org>
Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
---
security/device_cgroup.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 0a6d9c4..f94d08e 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -902,8 +902,24 @@ static int __devcgroup_check_permission(short type, u32 major, u32 minor,
minor, access);
rcu_read_unlock();
+#ifdef CONFIG_VE
+ /*
+ * When restoring container allow everything in
+ * pseudosuper state. We need this for early
+ * mounting of second ploop device. Still, don't
+ * change behaviour on the ve0.
+ */
+ if (!rc) {
+ struct ve_struct *ve = get_exec_env();
+
+ if (!ve_is_super(ve) && ve->is_pseudosuper)
+ return 0;
+ return -EPERM;
+ }
+#else
if (!rc)
return -EPERM;
+#endif
return 0;
}
More information about the Devel
mailing list