[Devel] [PATCH rh7 2/6] Drop VZCTL_ENV_CREATE

Vladimir Davydov vdavydov at virtuozzo.com
Mon Jun 20 09:40:12 PDT 2016


It's getting too difficult to support it. Since we've been using cgroup
interface for creating VE for quite a while, let's drop it.

Signed-off-by: Vladimir Davydov <vdavydov at virtuozzo.com>
---
 include/linux/device_cgroup.h |   1 -
 include/linux/fairsched.h     |   7 -
 include/linux/sched.h         |   1 -
 include/linux/ve.h            |   8 -
 include/linux/ve_proto.h      |   4 -
 kernel/fairsched.c            |  64 +------
 kernel/ve/ve.c                |   8 +-
 kernel/ve/vecalls.c           | 437 +-----------------------------------------
 security/device_cgroup.c      |  46 -----
 9 files changed, 5 insertions(+), 571 deletions(-)

diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
index 32588bb8fb4e..64c2da27278c 100644
--- a/include/linux/device_cgroup.h
+++ b/include/linux/device_cgroup.h
@@ -17,7 +17,6 @@ extern int devcgroup_device_visible(umode_t mode, int major,
 		int start_minor, int nr_minors);
 
 struct cgroup;
-int devcgroup_default_perms_ve(struct cgroup *cgroup);
 int devcgroup_set_perms_ve(struct cgroup *cgroup, unsigned, dev_t, unsigned);
 struct ve_struct;
 int devcgroup_seq_show_ve(struct cgroup *devices_root, struct ve_struct *ve, struct seq_file *m);
diff --git a/include/linux/fairsched.h b/include/linux/fairsched.h
index e242c0d4c065..615e88928e25 100644
--- a/include/linux/fairsched.h
+++ b/include/linux/fairsched.h
@@ -51,10 +51,6 @@ asmlinkage long sys_fairsched_cpumask(unsigned int id, unsigned int len,
 asmlinkage long sys_fairsched_nodemask(unsigned int id, unsigned int len,
 				       unsigned long __user *user_mask_ptr);
 
-int fairsched_new_node(int id, unsigned int vcpus);
-int fairsched_move_task(int id, struct task_struct *tsk);
-void fairsched_drop_node(int id, int leave);
-
 int fairsched_get_cpu_stat(const char *name, struct kernel_cpustat *kstat);
 
 int cpu_cgroup_get_avenrun(struct cgroup *cgrp, unsigned long *avenrun);
@@ -71,9 +67,6 @@ int fairsched_show_loadavg(const char *name, struct seq_file *p);
 
 #else /* CONFIG_VZ_FAIRSCHED */
 
-static inline int fairsched_new_node(int id, unsigned int vcpus) { return 0; }
-static inline int fairsched_move_task(int id, struct task_struct *tsk) { return 0; }
-static inline void fairsched_drop_node(int id, int leave) { }
 static inline int fairsched_show_stat(const char *name, struct seq_file *p) { return -ENOSYS; }
 static inline int fairsched_show_loadavg(const char *name, struct seq_file *p) { return -ENOSYS; }
 static inline int fairsched_get_cpu_avenrun(const char *name, unsigned long *avenrun) { return -ENOSYS; }
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 21775a21f8ab..84a9888b2483 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1241,7 +1241,6 @@ struct task_struct {
 	unsigned in_execve:1;	/* Tell the LSMs that the process is doing an
 				 * execve */
 	unsigned in_iowait:1;
-	unsigned did_ve_enter:1;
 	unsigned no_new_privs:1; /* task may not gain privileges */
 	unsigned may_throttle:1;
 
diff --git a/include/linux/ve.h b/include/linux/ve.h
index a40e219c8bce..878ca284a6ba 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -43,13 +43,10 @@ struct ve_struct {
 	struct list_head	ve_list;
 
 	envid_t			veid;
-	bool			legacy;	/* created using the legacy API
-					   (vzctl ioctl - see do_env_create) */
 
 	unsigned int		class_id;
 	struct rw_semaphore	op_sem;
 	int			is_running;
-	int			is_locked;
 	int			is_pseudosuper;
 	atomic_t		suspend;
 	/* see vzcalluser.h for VE_FEATURE_XXX definitions */
@@ -148,10 +145,6 @@ extern struct cgroup_subsys ve_subsys;
 
 extern unsigned int sysctl_ve_mount_nr;
 
-#ifdef CONFIG_VE_IPTABLES
-extern __u64 ve_setup_iptables_mask(__u64 init_mask);
-#endif
-
 #ifdef CONFIG_VE
 #define ve_uevent_seqnum       (get_exec_env()->_uevent_seqnum)
 
@@ -211,7 +204,6 @@ extern void monotonic_ve_to_abs(clockid_t which_clock, struct timespec *tp);
 
 void ve_stop_ns(struct pid_namespace *ns);
 void ve_exit_ns(struct pid_namespace *ns);
-int ve_start_container(struct ve_struct *ve);
 
 extern bool current_user_ns_initial(void);
 struct user_namespace *ve_init_user_ns(void);
diff --git a/include/linux/ve_proto.h b/include/linux/ve_proto.h
index 153f18bd19b1..5787afe275ce 100644
--- a/include/linux/ve_proto.h
+++ b/include/linux/ve_proto.h
@@ -55,10 +55,6 @@ extern struct ve_struct *get_ve_by_id(envid_t);
 extern struct cgroup *ve_cgroup_open(struct cgroup *root, int flags, envid_t veid);
 extern int ve_cgroup_remove(struct cgroup *root, envid_t veid);
 
-struct env_create_param3;
-extern int real_env_create(envid_t veid, unsigned flags, u32 class_id,
-			   struct env_create_param3 *data, int datalen);
-
 extern int nr_threads_ve(struct ve_struct *ve);
 
 enum {
diff --git a/kernel/fairsched.c b/kernel/fairsched.c
index 8149076c8cb8..14861dc65023 100644
--- a/kernel/fairsched.c
+++ b/kernel/fairsched.c
@@ -117,7 +117,7 @@ SYSCALL_DEFINE3(fairsched_mknod, unsigned int, parent, unsigned int, weight,
 				 unsigned int, newid)
 {
 	int retval;
-	struct fairsched_node node;
+	struct fairsched_node node = {NULL, NULL};
 
 	if (!capable_setveid())
 		return -EPERM;
@@ -355,68 +355,6 @@ SYSCALL_DEFINE3(fairsched_nodemask, unsigned int, id, unsigned int, len,
 	return retval;
 }
 
-int fairsched_new_node(int id, unsigned int vcpus)
-{
-	struct fairsched_node node = {NULL, NULL};
-	int err;
-
-	err = fairsched_create(&node, id);
-	if (err < 0)
-		return err;
-
-	err = sched_cgroup_set_nr_cpus(node.cpu, vcpus);
-	if (err) {
-		printk(KERN_ERR "Can't set sched vcpus on node %d err=%d\n", id, err);
-		goto err_remove;
-	}
-
-	err = fairsched_move(&node, current);
-	if (err)
-		goto err_remove;
-
-	fairsched_close(&node);
-	return 0;
-
-err_remove:
-	fairsched_close(&node);
-	fairsched_remove(id);
-	return err;
-}
-EXPORT_SYMBOL(fairsched_new_node);
-
-void fairsched_drop_node(int id, int leave)
-{
-	int err;
-
-	if (leave) {
-		err = fairsched_move(&root_node, current);
-		if (err)
-			printk(KERN_ERR "Can't leave fairsched node %d "
-					"err=%d\n", id, err);
-	}
-
-	err = fairsched_remove(id);
-	if (err)
-		printk(KERN_ERR "Can't remove fairsched node %d err=%d\n", id, err);
-}
-EXPORT_SYMBOL(fairsched_drop_node);
-
-int fairsched_move_task(int id, struct task_struct *tsk)
-{
-	struct fairsched_node node = {NULL, NULL};
-	int err;
-
-	err = fairsched_open(&node, id);
-	if (err)
-		return err;
-
-	err = fairsched_move(&node, tsk);
-	fairsched_close(&node);
-	return err;
-}
-
-EXPORT_SYMBOL(fairsched_move_task);
-
 #ifdef CONFIG_PROC_FS
 
 /*********************************************************************/
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 703f97c03cb2..f4aec3a13c71 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -432,7 +432,7 @@ static void ve_drop_context(struct ve_struct *ve)
 static const struct timespec zero_time = { };
 
 /* under ve->op_sem write-lock */
-int ve_start_container(struct ve_struct *ve)
+static int ve_start_container(struct ve_struct *ve)
 {
 	struct task_struct *tsk = current;
 	int err;
@@ -496,7 +496,6 @@ err_list:
 	ve_drop_context(ve);
 	return err;
 }
-EXPORT_SYMBOL_GPL(ve_start_container);
 
 void ve_stop_ns(struct pid_namespace *pid_ns)
 {
@@ -568,8 +567,7 @@ void ve_exit_ns(struct pid_namespace *pid_ns)
 }
 
 #ifdef CONFIG_VE_IPTABLES
-
-__u64 ve_setup_iptables_mask(__u64 init_mask)
+static __u64 ve_setup_iptables_mask(__u64 init_mask)
 {
 	/* Remove when userspace will start supplying IPv6-related bits. */
 	init_mask &= ~VE_IP_IPTABLES6;
@@ -591,8 +589,6 @@ __u64 ve_setup_iptables_mask(__u64 init_mask)
 
 	return init_mask;
 }
-EXPORT_SYMBOL(ve_setup_iptables_mask);
-
 #endif
 
 static struct cgroup_subsys_state *ve_create(struct cgroup *cg)
diff --git a/kernel/ve/vecalls.c b/kernel/ve/vecalls.c
index a690a8faabba..80c2e2d9094d 100644
--- a/kernel/ve/vecalls.c
+++ b/kernel/ve/vecalls.c
@@ -11,78 +11,32 @@
  * along with initialization script
  */
 
-#include <linux/delay.h>
-#include <linux/capability.h>
 #include <linux/ve.h>
 #include <linux/init.h>
 #include <linux/list.h>
 #include <linux/errno.h>
 #include <linux/unistd.h>
 #include <linux/slab.h>
-#include <linux/vmalloc.h>
 #include <linux/sys.h>
-#include <linux/fs_struct.h>
 #include <linux/fs.h>
-#include <linux/mnt_namespace.h>
-#include <linux/termios.h>
-#include <linux/tty_driver.h>
 #include <linux/netdevice.h>
-#include <linux/wait.h>
-#include <linux/inetdevice.h>
-#include <net/addrconf.h>
 #include <linux/utsname.h>
 #include <linux/proc_fs.h>
-#include <linux/devpts_fs.h>
-#include <linux/shmem_fs.h>
-#include <linux/user_namespace.h>
-#include <linux/sysfs.h>
 #include <linux/seq_file.h>
 #include <linux/kernel_stat.h>
 #include <linux/module.h>
-#include <linux/suspend.h>
 #include <linux/rcupdate.h>
-#include <linux/in.h>
-#include <linux/idr.h>
-#include <linux/inetdevice.h>
-#include <linux/pid.h>
-#include <net/pkt_sched.h>
-#include <bc/beancounter.h>
-#include <linux/nsproxy.h>
-#include <linux/kobject.h>
-#include <linux/freezer.h>
-#include <linux/pid_namespace.h>
-#include <linux/tty.h>
 #include <linux/mount.h>
-#include <linux/kthread.h>
-#include <linux/oom.h>
-#include <linux/kthread.h>
-#include <linux/workqueue.h>
 #include <generated/utsrelease.h>
 
-#include <net/route.h>
-#include <net/ip_fib.h>
-#include <net/ip6_route.h>
-#include <net/arp.h>
-#include <net/ipv6.h>
-
-#include <linux/ve_proto.h>
 #include <linux/venet.h>
 #include <linux/vzctl.h>
 #include <uapi/linux/vzcalluser.h>
 #include <linux/fairsched.h>
 #include <linux/device_cgroup.h>
 
-#include <linux/virtinfo.h>
-#include <linux/major.h>
-
 static struct cgroup *devices_root;
 
-static int	do_env_enter(struct ve_struct *ve, unsigned int flags);
-
-static void vecalls_exit(void);
-
-static int alone_in_pgrp(struct task_struct *tsk);
-
 static s64 ve_get_uptime(struct ve_struct *ve)
 {
 	struct timespec uptime;
@@ -181,50 +135,6 @@ out:
 /**********************************************************************
  **********************************************************************
  *
- * VE start: subsystems
- *
- **********************************************************************
- **********************************************************************/
-
-/*
- * Namespaces
- */
-
-static inline int init_ve_namespaces(void)
-{
-	int err;
-
-	err = copy_namespaces(CLONE_NEWUTS | CLONE_NEWIPC |
-			      CLONE_NEWPID | CLONE_NEWNET,
-			      current);
-	if (err < 0)
-		return err;
-
-	memcpy(utsname()->release, virt_utsname.release,
-			sizeof(virt_utsname.release));
-
-	return 0;
-}
-
-static int init_ve_struct(struct ve_struct *ve,
-		u32 class_id, env_create_param_t *data, int datalen)
-{
-	ve->class_id = class_id;
-
-#ifdef CONFIG_VE_IPTABLES
-	/* Set up ipt_mask as it will be used during
-	 * net namespace initialization
-	 */
-	ve->ipt_mask = ve_setup_iptables_mask(data ? data->iptables_mask
-						: VE_IP_DEFAULT);
-#endif
-
-	return 0;
-}
-
-/**********************************************************************
- **********************************************************************
- *
  * /proc/meminfo virtualization
  *
  **********************************************************************
@@ -251,59 +161,6 @@ static int ve_set_meminfo(envid_t veid, unsigned long val)
 #endif
 }
 
-static void init_ve_cred(struct cred *new)
-{
-	struct user_namespace *user_ns = new->user_ns;
-	kernel_cap_t bset;
-
-	bset = current_cred()->cap_effective;
-
-	/*
-	 * Task capabilities checks now user-ns aware. This deprecates old
-	 * CAP_VE_ADMIN. CAP_SYS/NET_ADMIN in container now completely safe.
-	 */
-	if (cap_raised(bset, CAP_VE_ADMIN)) {
-		cap_raise(bset, CAP_SYS_ADMIN);
-		cap_raise(bset, CAP_NET_ADMIN);
-	}
-
-	/*
-	 * Full set of capabilites in nested user-ns is safe. But vzctl can
-	 * drop some capabilites to create restricted container.
-	 */
-	new->cap_inheritable = CAP_EMPTY_SET;
-	new->cap_effective = bset;
-	new->cap_permitted = bset;
-	new->cap_bset = bset;
-
-	/*
-	 * Setup equal uid/gid mapping.
-	 * proc_uid_map_write() forbids further changings.
-	 */
-	user_ns->uid_map = user_ns->parent->uid_map;
-	user_ns->gid_map = user_ns->parent->gid_map;
-}
-
-static int alone_in_pgrp(struct task_struct *tsk)
-{
-	struct task_struct *p;
-	int alone = 0;
-
-	read_lock(&tasklist_lock);
-	do_each_pid_task(task_pid(tsk), PIDTYPE_PGID, p) {
-		if (p != tsk)
-			goto out;
-	} while_each_pid_task(task_pid(tsk), PIDTYPE_PGID, p);
-	do_each_pid_task(task_pid(tsk), PIDTYPE_SID, p) {
-		if (p != tsk)
-			goto out;
-	} while_each_pid_task(task_pid(tsk), PIDTYPE_SID, p);
-	alone = 1;
-out:
-	read_unlock(&tasklist_lock);
-	return alone;
-}
-
 static struct vfsmount *ve_cgroup_mnt, *devices_cgroup_mnt;
 
 static int __init init_vecalls_cgroups(void)
@@ -338,264 +195,6 @@ static void fini_vecalls_cgroups(void)
 	kern_unmount(devices_cgroup_mnt);
 }
 
-static int do_env_create(envid_t veid, unsigned int flags, u32 class_id,
-			 env_create_param_t *data, int datalen)
-{
-	struct task_struct *tsk = current;
-	struct ve_struct *ve;
-	struct cred *new_creds, *old_creds;
-	int err;
-	struct nsproxy *old_ns;
-	struct cgroup *ve_cgroup;
-	struct cgroup *dev_cgroup;
-
-	if (tsk->signal->tty) {
-		printk("ERR: CT init has controlling terminal\n");
-		return -EINVAL;
-	}
-	if (task_pgrp(tsk) != task_pid(tsk) ||
-			task_session(tsk) != task_pid(tsk)) {
-		int may_setsid;
-
-		read_lock(&tasklist_lock);
-		may_setsid = !tsk->signal->leader &&
-			!pid_task(find_pid_ns(task_pid_nr(tsk), &init_pid_ns), PIDTYPE_PGID);
-		read_unlock(&tasklist_lock);
-
-		if (!may_setsid) {
-			printk("ERR: CT init is process group leader\n");
-			return -EINVAL;
-		}
-	}
-	/* Check that the process is not a leader of non-empty group/session.
-	 * If it is, we cannot virtualize its PID and must fail. */
-	if (!alone_in_pgrp(tsk)) {
-		printk("ERR: CT init is not alone in process group\n");
-		return -EINVAL;
-	}
-
-	/* create new cpu-cgroup and move current task into it */
-	err = fairsched_new_node(veid, data->total_vcpus);
-	if (err)
-		goto err_sched;
-
-	ve_cgroup = ve_cgroup_open(ve0.css.cgroup, CGRP_CREAT|CGRP_EXCL, veid);
-	err = PTR_ERR(ve_cgroup);
-	if (IS_ERR(ve_cgroup))
-		goto err_ve_cgroup;
-
-	dev_cgroup = ve_cgroup_open(devices_root, CGRP_CREAT, veid);
-	err = PTR_ERR(dev_cgroup);
-	if (IS_ERR(dev_cgroup))
-		goto err_dev_cgroup;
-
-	err = devcgroup_default_perms_ve(dev_cgroup);
-	if (err)
-		goto err_devperms;
-
-	ve = cgroup_ve(ve_cgroup);
-	ve->legacy = true;
-
-	init_ve_struct(ve, class_id, data, datalen);
-
-	down_write(&ve->op_sem);
-
-	err = cgroup_kernel_attach(ve->css.cgroup, tsk);
-	if (err)
-		goto err_ve_attach;
-
-	err = cgroup_kernel_attach(dev_cgroup, tsk);
-	if (err)
-		goto err_dev_attach;
-
-	err = -ENOMEM;
-	new_creds = prepare_creds();
-	if (new_creds == NULL)
-		goto err_creds;
-
-	err = create_user_ns(new_creds);
-	if (err) {
-		put_cred(new_creds);
-		goto err_creds;
-	}
-
-	init_ve_cred(new_creds);
-
-	old_creds = (struct cred *)get_current_cred();
-
-	commit_creds(new_creds);
-
-	old_ns = tsk->nsproxy;
-
-	if ((err = init_ve_namespaces()))
-		goto err_ns;
-
-	/* for compatibility only */
-	if ((err = change_active_pid_ns(tsk, tsk->nsproxy->pid_ns)) < 0)
-		goto err_vpid;
-
-	if (flags & VE_LOCK)
-		ve->is_locked = 1;
-
-	err = ve_start_container(ve);
-	if (err)
-		goto err_ve_start;
-
-	up_write(&ve->op_sem);
-
-	cgroup_kernel_close(ve_cgroup);
-	cgroup_kernel_close(dev_cgroup);
-
-	put_nsproxy(old_ns);
-	put_cred(old_creds);
-
-	return veid;
-
-err_ve_start:
-	up_write(&ve->op_sem);
-err_vpid:
-	switch_task_namespaces(tsk, old_ns);
-err_ns:
-	commit_creds(old_creds);
-err_creds:
-	cgroup_kernel_attach(&dev_cgroup->root->top_cgroup, tsk);
-err_dev_attach:
-	cgroup_kernel_attach(ve0.css.cgroup, tsk);
-err_ve_attach:
-err_devperms:
-	cgroup_kernel_close(dev_cgroup);
-err_dev_cgroup:
-	cgroup_kernel_close(ve_cgroup);
-err_ve_cgroup:
-	fairsched_drop_node(veid, 1);
-err_sched:
-	printk(KERN_INFO "CT: %d: failed to start with err=%d\n", veid, err);
-	return err;
-}
-
-
-/**********************************************************************
- **********************************************************************
- *
- * VE start/stop callbacks
- *
- **********************************************************************
- **********************************************************************/
-
-int real_env_create(envid_t veid, unsigned flags, u32 class_id,
-			env_create_param_t *data, int datalen)
-{
-	int status;
-	struct ve_struct *ve;
-
-	if (!flags) {
-		status = get_exec_env()->veid;
-		goto out;
-	}
-
-	status = -EPERM;
-	if (!capable_setveid())
-		goto out;
-
-	status = -EINVAL;
-	if ((flags & VE_TEST) && (flags & (VE_ENTER|VE_CREATE)))
-		goto out;
-
-	status = -EINVAL;
-	ve = get_ve_by_id(veid);
-	if (ve) {
-		if (flags & VE_TEST) {
-			status = 0;
-			goto out_put;
-		}
-		if (flags & VE_EXCLUSIVE) {
-			status = -EACCES;
-			goto out_put;
-		}
-		if (flags & VE_CREATE) {
-			flags &= ~VE_CREATE;
-			flags |= VE_ENTER;
-		}
-	} else {
-		if (flags & (VE_TEST|VE_ENTER)) {
-			status = -ESRCH;
-			goto out;
-		}
-	}
-
-	if (flags & VE_CREATE) {
-		status = do_env_create(veid, flags, class_id, data, datalen);
-		goto out;
-	} else if (flags & VE_ENTER)
-		status = do_env_enter(ve, flags);
-
-	/* else: returning EINVAL */
-
-out_put:
-	put_ve(ve);
-out:
-	return status;
-}
-EXPORT_SYMBOL(real_env_create);
-
-static int do_env_enter(struct ve_struct *ve, unsigned int flags)
-{
-	struct task_struct *tsk = current;
-	int err;
-
-	err = fairsched_move_task(ve->veid, current);
-	if (err)
-		return err;
-
-	err = -EBUSY;
-	down_read(&ve->op_sem);
-	if (!ve->is_running)
-		goto out_up;
-	if (ve->is_locked && !(flags & VE_SKIPLOCK))
-		goto out_up;
-
-	switch_task_namespaces(tsk, get_nsproxy(ve->ve_ns));
-
-	commit_creds(get_new_cred(ve->init_cred));
-
-	err = cgroup_kernel_attach(ve->css.cgroup, current);
-	if (err)
-		goto out_up;
-
-	if (alone_in_pgrp(tsk) && !(flags & VE_SKIPLOCK))
-		change_active_pid_ns(tsk, ve->ve_ns->pid_ns);
-
-	/* Unlike VE_CREATE, we do not setsid() in VE_ENTER.
-	 * Process is allowed to be in an external group/session.
-	 * If user space callers wants, it will do setsid() after
-	 * VE_ENTER.
-	 */
-	err = ve->veid;
-	tsk->did_ve_enter = 1;
-
-out_up:
-	up_read(&ve->op_sem);
-
-	if (err < 0)
-		fairsched_move_task(0, current);
-
-	return err;
-}
-
-static void vzmon_stop_notifier(void *data)
-{
-	struct ve_struct *ve = data;
-
-	if (ve->legacy)
-		fairsched_drop_node(ve->veid, 0);
-}
-
-static struct ve_hook vzmon_stop_hook = {
-	.fini		= vzmon_stop_notifier,
-	.priority	= HOOK_PRIO_FINISHING,
-	.owner		= THIS_MODULE,
-};
-
 /**********************************************************************
  **********************************************************************
  *
@@ -1086,38 +685,11 @@ int vzcalls_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		break;
 #endif
 	    case VZCTL_ENV_CREATE: {
-			struct vzctl_env_create s;
-			err = -EFAULT;
-			if (copy_from_user(&s, (void __user *)arg, sizeof(s)))
-				break;
-			err = real_env_create(s.veid, s.flags, s.class_id,
-				NULL, 0);
+			err = -ENOTSUPP;
 		}
 		break;
 	    case VZCTL_ENV_CREATE_DATA: {
-			struct vzctl_env_create_data s;
-			env_create_param_t *data;
-			err = -EFAULT;
-			if (copy_from_user(&s, (void __user *)arg, sizeof(s)))
-				break;
-			err=-EINVAL;
-			if (s.datalen < VZCTL_ENV_CREATE_DATA_MINLEN ||
-			    s.datalen > VZCTL_ENV_CREATE_DATA_MAXLEN ||
-			    s.data == 0)
-				break;
-			err = -ENOMEM;
-			data = kzalloc(sizeof(*data), GFP_KERNEL);
-			if (!data)
-				break;
-
-			err = -EFAULT;
-			if (copy_from_user(data, (void __user *)s.data,
-						s.datalen))
-				goto free_data;
-			err = real_env_create(s.veid, s.flags, s.class_id,
-				data, s.datalen);
-free_data:
-			kfree(data);
+			err = -ENOTSUPP;
 		}
 		break;
 	    case VZCTL_GET_CPU_STAT: {
@@ -1239,8 +811,6 @@ static int __init vecalls_init(void)
 {
 	int err;
 
-	ve_hook_register(VE_SS_CHAIN, &vzmon_stop_hook);
-
 	err = init_vecalls_cgroups();
 	if (err)
 		goto out_cgroups;
@@ -1265,8 +835,6 @@ out_ioctls:
 out_proc:
 	fini_vecalls_cgroups();
 out_cgroups:
-	ve_hook_unregister(&vzmon_stop_hook);
-
 	return err;
 }
 
@@ -1275,7 +843,6 @@ static void __exit vecalls_exit(void)
 	fini_vecalls_ioctls();
 	fini_vecalls_proc();
 	fini_vecalls_cgroups();
-	ve_hook_unregister(&vzmon_stop_hook);
 }
 
 MODULE_AUTHOR("SWsoft <info at sw-soft.com>");
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 0a6d9c482596..92f92f5f49e6 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -1001,52 +1001,6 @@ int devcgroup_inode_mknod(int mode, dev_t dev)
 
 #ifdef CONFIG_VE
 
-static struct dev_exception_item default_whitelist_items[] = {
-	{ ~0,				~0,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD },
-	{ ~0,				~0,	DEV_BLOCK,	ACC_HIDDEN | ACC_MKNOD },
-	{ UNIX98_PTY_MASTER_MAJOR,	~0,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE },
-	{ UNIX98_PTY_SLAVE_MAJOR,	~0,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE },
-	{ PTY_MASTER_MAJOR,		~0,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE },
-	{ PTY_SLAVE_MAJOR,		~0,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE },
-	{ MEM_MAJOR,			3,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* null */
-	{ MEM_MAJOR,			5,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* zero */
-	{ MEM_MAJOR,			7,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* full */
-	{ TTYAUX_MAJOR,			0,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* tty */
-	{ TTYAUX_MAJOR,			1,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* console */
-	{ TTYAUX_MAJOR,			2,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* ptmx */
-	{ MEM_MAJOR,			8,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* random */
-	{ MEM_MAJOR,			9,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* urandom */
-	{ MEM_MAJOR,			11,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_WRITE },            /* kmsg */
-	{ MISC_MAJOR,			200,	DEV_CHAR,	ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* tun */
-};
-
-static LIST_HEAD(default_whitelist);
-
-int devcgroup_default_perms_ve(struct cgroup *cgroup)
-{
-	struct dev_cgroup *dev_cgroup = cgroup_to_devcgroup(cgroup);
-	struct dev_exception_item *wl, *tmp;
-	int i, err;
-
-	mutex_lock(&devcgroup_mutex);
-	if (list_empty(&default_whitelist)) {
-		for (i = 0; i < ARRAY_SIZE(default_whitelist_items); i++)
-			list_add_tail(&default_whitelist_items[i].list,
-					&default_whitelist);
-	}
-	list_for_each_entry_safe(wl, tmp, &dev_cgroup->exceptions, list) {
-		wl->access = 0;
-		list_del_rcu(&wl->list);
-		kfree_rcu(wl, rcu);
-	}
-	err = dev_exceptions_copy(&dev_cgroup->exceptions, &default_whitelist);
-	dev_cgroup->behavior = DEVCG_DEFAULT_DENY;
-	mutex_unlock(&devcgroup_mutex);
-
-	return err;
-}
-EXPORT_SYMBOL(devcgroup_default_perms_ve);
-
 static unsigned decode_ve_perms(unsigned perm)
 {
 	unsigned mask = 0;
-- 
2.1.4



More information about the Devel mailing list