[Devel] [PATCH rh7] Drop CAP_VE_ADMIN and CAP_VE_NET_ADMIN

Wed Jun 22 02:11:50 PDT 2016

Not needed anymore as we use user ns for capability checking.
Also, move capable_setveid() helper to ve.h so as not to pollute
generic headers.

Signed-off-by: Vladimir Davydov <vdavydov at virtuozzo.com>
---
 include/linux/ve.h              |  3 +++
 include/uapi/linux/capability.h | 55 -----------------------------------------
 2 files changed, 3 insertions(+), 55 deletions(-)

diff --git a/include/linux/ve.h b/include/linux/ve.h
index cea3a87cb9c0..247cadb78c06 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -138,6 +138,9 @@ struct ve_devmnt {
 #define VE_MEMINFO_DEFAULT      1       /* default behaviour */
 #define VE_MEMINFO_SYSTEM       0       /* disable meminfo virtualization */
 
+#define capable_setveid() \
+	(ve_is_super(get_exec_env()) && capable(CAP_SYS_ADMIN))
+
 extern int nr_ve;
 extern struct proc_dir_entry *proc_vz_dir;
 extern struct cgroup_subsys ve_subsys;
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index cadbfe6109e8..b3d37bb108b8 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -307,61 +307,6 @@ struct vfs_cap_data {
 
 #define CAP_SETFCAP	     31
 
-#ifdef __KERNEL__
-/*
- * Important note: VZ capabilities do intersect with CAP_AUDIT
- * this is due to compatibility reasons. Nothing bad.
- * Both VZ and Audit/SELinux caps are disabled in VPSs.
- */
-
-/* Allow access to all information. In the other case some structures will be
- * hiding to ensure different Virtual Environment non-interaction on the same
- * node (NOW OBSOLETED)
- */
-#define CAP_SETVEID	     29
-
-#define capable_setveid()	({			\
-		ve_is_super(get_exec_env()) &&		\
-			(capable(CAP_SYS_ADMIN) ||	\
-			 capable(CAP_VE_ADMIN));	\
-	})
-
-/*
- * coinsides with CAP_AUDIT_CONTROL but we don't care, since
- * audit is disabled in Virtuozzo
- */
-#define CAP_VE_ADMIN	     30
-
-#ifdef CONFIG_VE
-
-/* Replacement for CAP_NET_ADMIN:
-   delegated rights to the Virtual environment of its network administration.
-   For now the following rights have been delegated:
-
-   Allow setting arbitrary process / process group ownership on sockets
-   Allow interface configuration
- */
-#define CAP_VE_NET_ADMIN     CAP_VE_ADMIN
-
-/* Replacement for CAP_SYS_ADMIN:
-   delegated rights to the Virtual environment of its administration.
-   For now the following rights have been delegated:
- */
-/* Allow mount/umount/remount */
-/* Allow examination and configuration of disk quotas */
-/* Allow removing semaphores */
-/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
-   and shared memory */
-/* Allow locking/unlocking of shared memory segment */
-/* Allow forged pids on socket credentials passing */
-
-#define CAP_VE_SYS_ADMIN     CAP_VE_ADMIN
-#else
-#define CAP_VE_NET_ADMIN     CAP_NET_ADMIN
-#define CAP_VE_SYS_ADMIN     CAP_SYS_ADMIN
-#endif
-#endif
-
 /* Override MAC access.
    The base kernel enforces no MAC policy.
    An LSM may enforce a MAC policy, and if it does and it chooses
-- 
2.1.4

