[Devel] [PATCH rh7 2/6] Drop VZCTL_ENV_CREATE
Vladimir Davydov
vdavydov at virtuozzo.com
Mon Jun 20 09:40:12 PDT 2016
It's getting too difficult to support it. Since we've been using cgroup
interface for creating VE for quite a while, let's drop it.
Signed-off-by: Vladimir Davydov <vdavydov at virtuozzo.com>
---
include/linux/device_cgroup.h | 1 -
include/linux/fairsched.h | 7 -
include/linux/sched.h | 1 -
include/linux/ve.h | 8 -
include/linux/ve_proto.h | 4 -
kernel/fairsched.c | 64 +------
kernel/ve/ve.c | 8 +-
kernel/ve/vecalls.c | 437 +-----------------------------------------
security/device_cgroup.c | 46 -----
9 files changed, 5 insertions(+), 571 deletions(-)
diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
index 32588bb8fb4e..64c2da27278c 100644
--- a/include/linux/device_cgroup.h
+++ b/include/linux/device_cgroup.h
@@ -17,7 +17,6 @@ extern int devcgroup_device_visible(umode_t mode, int major,
int start_minor, int nr_minors);
struct cgroup;
-int devcgroup_default_perms_ve(struct cgroup *cgroup);
int devcgroup_set_perms_ve(struct cgroup *cgroup, unsigned, dev_t, unsigned);
struct ve_struct;
int devcgroup_seq_show_ve(struct cgroup *devices_root, struct ve_struct *ve, struct seq_file *m);
diff --git a/include/linux/fairsched.h b/include/linux/fairsched.h
index e242c0d4c065..615e88928e25 100644
--- a/include/linux/fairsched.h
+++ b/include/linux/fairsched.h
@@ -51,10 +51,6 @@ asmlinkage long sys_fairsched_cpumask(unsigned int id, unsigned int len,
asmlinkage long sys_fairsched_nodemask(unsigned int id, unsigned int len,
unsigned long __user *user_mask_ptr);
-int fairsched_new_node(int id, unsigned int vcpus);
-int fairsched_move_task(int id, struct task_struct *tsk);
-void fairsched_drop_node(int id, int leave);
-
int fairsched_get_cpu_stat(const char *name, struct kernel_cpustat *kstat);
int cpu_cgroup_get_avenrun(struct cgroup *cgrp, unsigned long *avenrun);
@@ -71,9 +67,6 @@ int fairsched_show_loadavg(const char *name, struct seq_file *p);
#else /* CONFIG_VZ_FAIRSCHED */
-static inline int fairsched_new_node(int id, unsigned int vcpus) { return 0; }
-static inline int fairsched_move_task(int id, struct task_struct *tsk) { return 0; }
-static inline void fairsched_drop_node(int id, int leave) { }
static inline int fairsched_show_stat(const char *name, struct seq_file *p) { return -ENOSYS; }
static inline int fairsched_show_loadavg(const char *name, struct seq_file *p) { return -ENOSYS; }
static inline int fairsched_get_cpu_avenrun(const char *name, unsigned long *avenrun) { return -ENOSYS; }
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 21775a21f8ab..84a9888b2483 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1241,7 +1241,6 @@ struct task_struct {
unsigned in_execve:1; /* Tell the LSMs that the process is doing an
* execve */
unsigned in_iowait:1;
- unsigned did_ve_enter:1;
unsigned no_new_privs:1; /* task may not gain privileges */
unsigned may_throttle:1;
diff --git a/include/linux/ve.h b/include/linux/ve.h
index a40e219c8bce..878ca284a6ba 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -43,13 +43,10 @@ struct ve_struct {
struct list_head ve_list;
envid_t veid;
- bool legacy; /* created using the legacy API
- (vzctl ioctl - see do_env_create) */
unsigned int class_id;
struct rw_semaphore op_sem;
int is_running;
- int is_locked;
int is_pseudosuper;
atomic_t suspend;
/* see vzcalluser.h for VE_FEATURE_XXX definitions */
@@ -148,10 +145,6 @@ extern struct cgroup_subsys ve_subsys;
extern unsigned int sysctl_ve_mount_nr;
-#ifdef CONFIG_VE_IPTABLES
-extern __u64 ve_setup_iptables_mask(__u64 init_mask);
-#endif
-
#ifdef CONFIG_VE
#define ve_uevent_seqnum (get_exec_env()->_uevent_seqnum)
@@ -211,7 +204,6 @@ extern void monotonic_ve_to_abs(clockid_t which_clock, struct timespec *tp);
void ve_stop_ns(struct pid_namespace *ns);
void ve_exit_ns(struct pid_namespace *ns);
-int ve_start_container(struct ve_struct *ve);
extern bool current_user_ns_initial(void);
struct user_namespace *ve_init_user_ns(void);
diff --git a/include/linux/ve_proto.h b/include/linux/ve_proto.h
index 153f18bd19b1..5787afe275ce 100644
--- a/include/linux/ve_proto.h
+++ b/include/linux/ve_proto.h
@@ -55,10 +55,6 @@ extern struct ve_struct *get_ve_by_id(envid_t);
extern struct cgroup *ve_cgroup_open(struct cgroup *root, int flags, envid_t veid);
extern int ve_cgroup_remove(struct cgroup *root, envid_t veid);
-struct env_create_param3;
-extern int real_env_create(envid_t veid, unsigned flags, u32 class_id,
- struct env_create_param3 *data, int datalen);
-
extern int nr_threads_ve(struct ve_struct *ve);
enum {
diff --git a/kernel/fairsched.c b/kernel/fairsched.c
index 8149076c8cb8..14861dc65023 100644
--- a/kernel/fairsched.c
+++ b/kernel/fairsched.c
@@ -117,7 +117,7 @@ SYSCALL_DEFINE3(fairsched_mknod, unsigned int, parent, unsigned int, weight,
unsigned int, newid)
{
int retval;
- struct fairsched_node node;
+ struct fairsched_node node = {NULL, NULL};
if (!capable_setveid())
return -EPERM;
@@ -355,68 +355,6 @@ SYSCALL_DEFINE3(fairsched_nodemask, unsigned int, id, unsigned int, len,
return retval;
}
-int fairsched_new_node(int id, unsigned int vcpus)
-{
- struct fairsched_node node = {NULL, NULL};
- int err;
-
- err = fairsched_create(&node, id);
- if (err < 0)
- return err;
-
- err = sched_cgroup_set_nr_cpus(node.cpu, vcpus);
- if (err) {
- printk(KERN_ERR "Can't set sched vcpus on node %d err=%d\n", id, err);
- goto err_remove;
- }
-
- err = fairsched_move(&node, current);
- if (err)
- goto err_remove;
-
- fairsched_close(&node);
- return 0;
-
-err_remove:
- fairsched_close(&node);
- fairsched_remove(id);
- return err;
-}
-EXPORT_SYMBOL(fairsched_new_node);
-
-void fairsched_drop_node(int id, int leave)
-{
- int err;
-
- if (leave) {
- err = fairsched_move(&root_node, current);
- if (err)
- printk(KERN_ERR "Can't leave fairsched node %d "
- "err=%d\n", id, err);
- }
-
- err = fairsched_remove(id);
- if (err)
- printk(KERN_ERR "Can't remove fairsched node %d err=%d\n", id, err);
-}
-EXPORT_SYMBOL(fairsched_drop_node);
-
-int fairsched_move_task(int id, struct task_struct *tsk)
-{
- struct fairsched_node node = {NULL, NULL};
- int err;
-
- err = fairsched_open(&node, id);
- if (err)
- return err;
-
- err = fairsched_move(&node, tsk);
- fairsched_close(&node);
- return err;
-}
-
-EXPORT_SYMBOL(fairsched_move_task);
-
#ifdef CONFIG_PROC_FS
/*********************************************************************/
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 703f97c03cb2..f4aec3a13c71 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -432,7 +432,7 @@ static void ve_drop_context(struct ve_struct *ve)
static const struct timespec zero_time = { };
/* under ve->op_sem write-lock */
-int ve_start_container(struct ve_struct *ve)
+static int ve_start_container(struct ve_struct *ve)
{
struct task_struct *tsk = current;
int err;
@@ -496,7 +496,6 @@ err_list:
ve_drop_context(ve);
return err;
}
-EXPORT_SYMBOL_GPL(ve_start_container);
void ve_stop_ns(struct pid_namespace *pid_ns)
{
@@ -568,8 +567,7 @@ void ve_exit_ns(struct pid_namespace *pid_ns)
}
#ifdef CONFIG_VE_IPTABLES
-
-__u64 ve_setup_iptables_mask(__u64 init_mask)
+static __u64 ve_setup_iptables_mask(__u64 init_mask)
{
/* Remove when userspace will start supplying IPv6-related bits. */
init_mask &= ~VE_IP_IPTABLES6;
@@ -591,8 +589,6 @@ __u64 ve_setup_iptables_mask(__u64 init_mask)
return init_mask;
}
-EXPORT_SYMBOL(ve_setup_iptables_mask);
-
#endif
static struct cgroup_subsys_state *ve_create(struct cgroup *cg)
diff --git a/kernel/ve/vecalls.c b/kernel/ve/vecalls.c
index a690a8faabba..80c2e2d9094d 100644
--- a/kernel/ve/vecalls.c
+++ b/kernel/ve/vecalls.c
@@ -11,78 +11,32 @@
* along with initialization script
*/
-#include <linux/delay.h>
-#include <linux/capability.h>
#include <linux/ve.h>
#include <linux/init.h>
#include <linux/list.h>
#include <linux/errno.h>
#include <linux/unistd.h>
#include <linux/slab.h>
-#include <linux/vmalloc.h>
#include <linux/sys.h>
-#include <linux/fs_struct.h>
#include <linux/fs.h>
-#include <linux/mnt_namespace.h>
-#include <linux/termios.h>
-#include <linux/tty_driver.h>
#include <linux/netdevice.h>
-#include <linux/wait.h>
-#include <linux/inetdevice.h>
-#include <net/addrconf.h>
#include <linux/utsname.h>
#include <linux/proc_fs.h>
-#include <linux/devpts_fs.h>
-#include <linux/shmem_fs.h>
-#include <linux/user_namespace.h>
-#include <linux/sysfs.h>
#include <linux/seq_file.h>
#include <linux/kernel_stat.h>
#include <linux/module.h>
-#include <linux/suspend.h>
#include <linux/rcupdate.h>
-#include <linux/in.h>
-#include <linux/idr.h>
-#include <linux/inetdevice.h>
-#include <linux/pid.h>
-#include <net/pkt_sched.h>
-#include <bc/beancounter.h>
-#include <linux/nsproxy.h>
-#include <linux/kobject.h>
-#include <linux/freezer.h>
-#include <linux/pid_namespace.h>
-#include <linux/tty.h>
#include <linux/mount.h>
-#include <linux/kthread.h>
-#include <linux/oom.h>
-#include <linux/kthread.h>
-#include <linux/workqueue.h>
#include <generated/utsrelease.h>
-#include <net/route.h>
-#include <net/ip_fib.h>
-#include <net/ip6_route.h>
-#include <net/arp.h>
-#include <net/ipv6.h>
-
-#include <linux/ve_proto.h>
#include <linux/venet.h>
#include <linux/vzctl.h>
#include <uapi/linux/vzcalluser.h>
#include <linux/fairsched.h>
#include <linux/device_cgroup.h>
-#include <linux/virtinfo.h>
-#include <linux/major.h>
-
static struct cgroup *devices_root;
-static int do_env_enter(struct ve_struct *ve, unsigned int flags);
-
-static void vecalls_exit(void);
-
-static int alone_in_pgrp(struct task_struct *tsk);
-
static s64 ve_get_uptime(struct ve_struct *ve)
{
struct timespec uptime;
@@ -181,50 +135,6 @@ out:
/**********************************************************************
**********************************************************************
*
- * VE start: subsystems
- *
- **********************************************************************
- **********************************************************************/
-
-/*
- * Namespaces
- */
-
-static inline int init_ve_namespaces(void)
-{
- int err;
-
- err = copy_namespaces(CLONE_NEWUTS | CLONE_NEWIPC |
- CLONE_NEWPID | CLONE_NEWNET,
- current);
- if (err < 0)
- return err;
-
- memcpy(utsname()->release, virt_utsname.release,
- sizeof(virt_utsname.release));
-
- return 0;
-}
-
-static int init_ve_struct(struct ve_struct *ve,
- u32 class_id, env_create_param_t *data, int datalen)
-{
- ve->class_id = class_id;
-
-#ifdef CONFIG_VE_IPTABLES
- /* Set up ipt_mask as it will be used during
- * net namespace initialization
- */
- ve->ipt_mask = ve_setup_iptables_mask(data ? data->iptables_mask
- : VE_IP_DEFAULT);
-#endif
-
- return 0;
-}
-
-/**********************************************************************
- **********************************************************************
- *
* /proc/meminfo virtualization
*
**********************************************************************
@@ -251,59 +161,6 @@ static int ve_set_meminfo(envid_t veid, unsigned long val)
#endif
}
-static void init_ve_cred(struct cred *new)
-{
- struct user_namespace *user_ns = new->user_ns;
- kernel_cap_t bset;
-
- bset = current_cred()->cap_effective;
-
- /*
- * Task capabilities checks now user-ns aware. This deprecates old
- * CAP_VE_ADMIN. CAP_SYS/NET_ADMIN in container now completely safe.
- */
- if (cap_raised(bset, CAP_VE_ADMIN)) {
- cap_raise(bset, CAP_SYS_ADMIN);
- cap_raise(bset, CAP_NET_ADMIN);
- }
-
- /*
- * Full set of capabilites in nested user-ns is safe. But vzctl can
- * drop some capabilites to create restricted container.
- */
- new->cap_inheritable = CAP_EMPTY_SET;
- new->cap_effective = bset;
- new->cap_permitted = bset;
- new->cap_bset = bset;
-
- /*
- * Setup equal uid/gid mapping.
- * proc_uid_map_write() forbids further changings.
- */
- user_ns->uid_map = user_ns->parent->uid_map;
- user_ns->gid_map = user_ns->parent->gid_map;
-}
-
-static int alone_in_pgrp(struct task_struct *tsk)
-{
- struct task_struct *p;
- int alone = 0;
-
- read_lock(&tasklist_lock);
- do_each_pid_task(task_pid(tsk), PIDTYPE_PGID, p) {
- if (p != tsk)
- goto out;
- } while_each_pid_task(task_pid(tsk), PIDTYPE_PGID, p);
- do_each_pid_task(task_pid(tsk), PIDTYPE_SID, p) {
- if (p != tsk)
- goto out;
- } while_each_pid_task(task_pid(tsk), PIDTYPE_SID, p);
- alone = 1;
-out:
- read_unlock(&tasklist_lock);
- return alone;
-}
-
static struct vfsmount *ve_cgroup_mnt, *devices_cgroup_mnt;
static int __init init_vecalls_cgroups(void)
@@ -338,264 +195,6 @@ static void fini_vecalls_cgroups(void)
kern_unmount(devices_cgroup_mnt);
}
-static int do_env_create(envid_t veid, unsigned int flags, u32 class_id,
- env_create_param_t *data, int datalen)
-{
- struct task_struct *tsk = current;
- struct ve_struct *ve;
- struct cred *new_creds, *old_creds;
- int err;
- struct nsproxy *old_ns;
- struct cgroup *ve_cgroup;
- struct cgroup *dev_cgroup;
-
- if (tsk->signal->tty) {
- printk("ERR: CT init has controlling terminal\n");
- return -EINVAL;
- }
- if (task_pgrp(tsk) != task_pid(tsk) ||
- task_session(tsk) != task_pid(tsk)) {
- int may_setsid;
-
- read_lock(&tasklist_lock);
- may_setsid = !tsk->signal->leader &&
- !pid_task(find_pid_ns(task_pid_nr(tsk), &init_pid_ns), PIDTYPE_PGID);
- read_unlock(&tasklist_lock);
-
- if (!may_setsid) {
- printk("ERR: CT init is process group leader\n");
- return -EINVAL;
- }
- }
- /* Check that the process is not a leader of non-empty group/session.
- * If it is, we cannot virtualize its PID and must fail. */
- if (!alone_in_pgrp(tsk)) {
- printk("ERR: CT init is not alone in process group\n");
- return -EINVAL;
- }
-
- /* create new cpu-cgroup and move current task into it */
- err = fairsched_new_node(veid, data->total_vcpus);
- if (err)
- goto err_sched;
-
- ve_cgroup = ve_cgroup_open(ve0.css.cgroup, CGRP_CREAT|CGRP_EXCL, veid);
- err = PTR_ERR(ve_cgroup);
- if (IS_ERR(ve_cgroup))
- goto err_ve_cgroup;
-
- dev_cgroup = ve_cgroup_open(devices_root, CGRP_CREAT, veid);
- err = PTR_ERR(dev_cgroup);
- if (IS_ERR(dev_cgroup))
- goto err_dev_cgroup;
-
- err = devcgroup_default_perms_ve(dev_cgroup);
- if (err)
- goto err_devperms;
-
- ve = cgroup_ve(ve_cgroup);
- ve->legacy = true;
-
- init_ve_struct(ve, class_id, data, datalen);
-
- down_write(&ve->op_sem);
-
- err = cgroup_kernel_attach(ve->css.cgroup, tsk);
- if (err)
- goto err_ve_attach;
-
- err = cgroup_kernel_attach(dev_cgroup, tsk);
- if (err)
- goto err_dev_attach;
-
- err = -ENOMEM;
- new_creds = prepare_creds();
- if (new_creds == NULL)
- goto err_creds;
-
- err = create_user_ns(new_creds);
- if (err) {
- put_cred(new_creds);
- goto err_creds;
- }
-
- init_ve_cred(new_creds);
-
- old_creds = (struct cred *)get_current_cred();
-
- commit_creds(new_creds);
-
- old_ns = tsk->nsproxy;
-
- if ((err = init_ve_namespaces()))
- goto err_ns;
-
- /* for compatibility only */
- if ((err = change_active_pid_ns(tsk, tsk->nsproxy->pid_ns)) < 0)
- goto err_vpid;
-
- if (flags & VE_LOCK)
- ve->is_locked = 1;
-
- err = ve_start_container(ve);
- if (err)
- goto err_ve_start;
-
- up_write(&ve->op_sem);
-
- cgroup_kernel_close(ve_cgroup);
- cgroup_kernel_close(dev_cgroup);
-
- put_nsproxy(old_ns);
- put_cred(old_creds);
-
- return veid;
-
-err_ve_start:
- up_write(&ve->op_sem);
-err_vpid:
- switch_task_namespaces(tsk, old_ns);
-err_ns:
- commit_creds(old_creds);
-err_creds:
- cgroup_kernel_attach(&dev_cgroup->root->top_cgroup, tsk);
-err_dev_attach:
- cgroup_kernel_attach(ve0.css.cgroup, tsk);
-err_ve_attach:
-err_devperms:
- cgroup_kernel_close(dev_cgroup);
-err_dev_cgroup:
- cgroup_kernel_close(ve_cgroup);
-err_ve_cgroup:
- fairsched_drop_node(veid, 1);
-err_sched:
- printk(KERN_INFO "CT: %d: failed to start with err=%d\n", veid, err);
- return err;
-}
-
-
-/**********************************************************************
- **********************************************************************
- *
- * VE start/stop callbacks
- *
- **********************************************************************
- **********************************************************************/
-
-int real_env_create(envid_t veid, unsigned flags, u32 class_id,
- env_create_param_t *data, int datalen)
-{
- int status;
- struct ve_struct *ve;
-
- if (!flags) {
- status = get_exec_env()->veid;
- goto out;
- }
-
- status = -EPERM;
- if (!capable_setveid())
- goto out;
-
- status = -EINVAL;
- if ((flags & VE_TEST) && (flags & (VE_ENTER|VE_CREATE)))
- goto out;
-
- status = -EINVAL;
- ve = get_ve_by_id(veid);
- if (ve) {
- if (flags & VE_TEST) {
- status = 0;
- goto out_put;
- }
- if (flags & VE_EXCLUSIVE) {
- status = -EACCES;
- goto out_put;
- }
- if (flags & VE_CREATE) {
- flags &= ~VE_CREATE;
- flags |= VE_ENTER;
- }
- } else {
- if (flags & (VE_TEST|VE_ENTER)) {
- status = -ESRCH;
- goto out;
- }
- }
-
- if (flags & VE_CREATE) {
- status = do_env_create(veid, flags, class_id, data, datalen);
- goto out;
- } else if (flags & VE_ENTER)
- status = do_env_enter(ve, flags);
-
- /* else: returning EINVAL */
-
-out_put:
- put_ve(ve);
-out:
- return status;
-}
-EXPORT_SYMBOL(real_env_create);
-
-static int do_env_enter(struct ve_struct *ve, unsigned int flags)
-{
- struct task_struct *tsk = current;
- int err;
-
- err = fairsched_move_task(ve->veid, current);
- if (err)
- return err;
-
- err = -EBUSY;
- down_read(&ve->op_sem);
- if (!ve->is_running)
- goto out_up;
- if (ve->is_locked && !(flags & VE_SKIPLOCK))
- goto out_up;
-
- switch_task_namespaces(tsk, get_nsproxy(ve->ve_ns));
-
- commit_creds(get_new_cred(ve->init_cred));
-
- err = cgroup_kernel_attach(ve->css.cgroup, current);
- if (err)
- goto out_up;
-
- if (alone_in_pgrp(tsk) && !(flags & VE_SKIPLOCK))
- change_active_pid_ns(tsk, ve->ve_ns->pid_ns);
-
- /* Unlike VE_CREATE, we do not setsid() in VE_ENTER.
- * Process is allowed to be in an external group/session.
- * If user space callers wants, it will do setsid() after
- * VE_ENTER.
- */
- err = ve->veid;
- tsk->did_ve_enter = 1;
-
-out_up:
- up_read(&ve->op_sem);
-
- if (err < 0)
- fairsched_move_task(0, current);
-
- return err;
-}
-
-static void vzmon_stop_notifier(void *data)
-{
- struct ve_struct *ve = data;
-
- if (ve->legacy)
- fairsched_drop_node(ve->veid, 0);
-}
-
-static struct ve_hook vzmon_stop_hook = {
- .fini = vzmon_stop_notifier,
- .priority = HOOK_PRIO_FINISHING,
- .owner = THIS_MODULE,
-};
-
/**********************************************************************
**********************************************************************
*
@@ -1086,38 +685,11 @@ int vzcalls_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
break;
#endif
case VZCTL_ENV_CREATE: {
- struct vzctl_env_create s;
- err = -EFAULT;
- if (copy_from_user(&s, (void __user *)arg, sizeof(s)))
- break;
- err = real_env_create(s.veid, s.flags, s.class_id,
- NULL, 0);
+ err = -ENOTSUPP;
}
break;
case VZCTL_ENV_CREATE_DATA: {
- struct vzctl_env_create_data s;
- env_create_param_t *data;
- err = -EFAULT;
- if (copy_from_user(&s, (void __user *)arg, sizeof(s)))
- break;
- err=-EINVAL;
- if (s.datalen < VZCTL_ENV_CREATE_DATA_MINLEN ||
- s.datalen > VZCTL_ENV_CREATE_DATA_MAXLEN ||
- s.data == 0)
- break;
- err = -ENOMEM;
- data = kzalloc(sizeof(*data), GFP_KERNEL);
- if (!data)
- break;
-
- err = -EFAULT;
- if (copy_from_user(data, (void __user *)s.data,
- s.datalen))
- goto free_data;
- err = real_env_create(s.veid, s.flags, s.class_id,
- data, s.datalen);
-free_data:
- kfree(data);
+ err = -ENOTSUPP;
}
break;
case VZCTL_GET_CPU_STAT: {
@@ -1239,8 +811,6 @@ static int __init vecalls_init(void)
{
int err;
- ve_hook_register(VE_SS_CHAIN, &vzmon_stop_hook);
-
err = init_vecalls_cgroups();
if (err)
goto out_cgroups;
@@ -1265,8 +835,6 @@ out_ioctls:
out_proc:
fini_vecalls_cgroups();
out_cgroups:
- ve_hook_unregister(&vzmon_stop_hook);
-
return err;
}
@@ -1275,7 +843,6 @@ static void __exit vecalls_exit(void)
fini_vecalls_ioctls();
fini_vecalls_proc();
fini_vecalls_cgroups();
- ve_hook_unregister(&vzmon_stop_hook);
}
MODULE_AUTHOR("SWsoft <info at sw-soft.com>");
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 0a6d9c482596..92f92f5f49e6 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -1001,52 +1001,6 @@ int devcgroup_inode_mknod(int mode, dev_t dev)
#ifdef CONFIG_VE
-static struct dev_exception_item default_whitelist_items[] = {
- { ~0, ~0, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD },
- { ~0, ~0, DEV_BLOCK, ACC_HIDDEN | ACC_MKNOD },
- { UNIX98_PTY_MASTER_MAJOR, ~0, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE },
- { UNIX98_PTY_SLAVE_MAJOR, ~0, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE },
- { PTY_MASTER_MAJOR, ~0, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE },
- { PTY_SLAVE_MAJOR, ~0, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE },
- { MEM_MAJOR, 3, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* null */
- { MEM_MAJOR, 5, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* zero */
- { MEM_MAJOR, 7, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* full */
- { TTYAUX_MAJOR, 0, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* tty */
- { TTYAUX_MAJOR, 1, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* console */
- { TTYAUX_MAJOR, 2, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* ptmx */
- { MEM_MAJOR, 8, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* random */
- { MEM_MAJOR, 9, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* urandom */
- { MEM_MAJOR, 11, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_WRITE }, /* kmsg */
- { MISC_MAJOR, 200, DEV_CHAR, ACC_HIDDEN | ACC_MKNOD | ACC_READ | ACC_WRITE }, /* tun */
-};
-
-static LIST_HEAD(default_whitelist);
-
-int devcgroup_default_perms_ve(struct cgroup *cgroup)
-{
- struct dev_cgroup *dev_cgroup = cgroup_to_devcgroup(cgroup);
- struct dev_exception_item *wl, *tmp;
- int i, err;
-
- mutex_lock(&devcgroup_mutex);
- if (list_empty(&default_whitelist)) {
- for (i = 0; i < ARRAY_SIZE(default_whitelist_items); i++)
- list_add_tail(&default_whitelist_items[i].list,
- &default_whitelist);
- }
- list_for_each_entry_safe(wl, tmp, &dev_cgroup->exceptions, list) {
- wl->access = 0;
- list_del_rcu(&wl->list);
- kfree_rcu(wl, rcu);
- }
- err = dev_exceptions_copy(&dev_cgroup->exceptions, &default_whitelist);
- dev_cgroup->behavior = DEVCG_DEFAULT_DENY;
- mutex_unlock(&devcgroup_mutex);
-
- return err;
-}
-EXPORT_SYMBOL(devcgroup_default_perms_ve);
-
static unsigned decode_ve_perms(unsigned perm)
{
unsigned mask = 0;
--
2.1.4
More information about the Devel
mailing list