[Devel] [PATCH RHEL7 COMMIT] ve: drop not used CAP_VE_ADMIN and CAP_VE_NET_ADMIN
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Jun 22 05:48:45 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.18.2.vz7.14.17
------>
commit cb6242e909e43182b9bdcd08342b50500d5bad84
Author: Vladimir Davydov <vdavydov at virtuozzo.com>
Date: Wed Jun 22 16:48:45 2016 +0400
ve: drop not used CAP_VE_ADMIN and CAP_VE_NET_ADMIN
Not needed anymore as we use user ns for capability checking.
Also, move capable_setveid() helper to ve.h so as not to pollute
generic headers.
Signed-off-by: Vladimir Davydov <vdavydov at virtuozzo.com>
---
include/linux/ve.h | 3 +++
include/uapi/linux/capability.h | 55 -----------------------------------------
2 files changed, 3 insertions(+), 55 deletions(-)
diff --git a/include/linux/ve.h b/include/linux/ve.h
index cea3a87..247cadb 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -138,6 +138,9 @@ struct ve_devmnt {
#define VE_MEMINFO_DEFAULT 1 /* default behaviour */
#define VE_MEMINFO_SYSTEM 0 /* disable meminfo virtualization */
+#define capable_setveid() \
+ (ve_is_super(get_exec_env()) && capable(CAP_SYS_ADMIN))
+
extern int nr_ve;
extern struct proc_dir_entry *proc_vz_dir;
extern struct cgroup_subsys ve_subsys;
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index cadbfe6..b3d37bb 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -307,61 +307,6 @@ struct vfs_cap_data {
#define CAP_SETFCAP 31
-#ifdef __KERNEL__
-/*
- * Important note: VZ capabilities do intersect with CAP_AUDIT
- * this is due to compatibility reasons. Nothing bad.
- * Both VZ and Audit/SELinux caps are disabled in VPSs.
- */
-
-/* Allow access to all information. In the other case some structures will be
- * hiding to ensure different Virtual Environment non-interaction on the same
- * node (NOW OBSOLETED)
- */
-#define CAP_SETVEID 29
-
-#define capable_setveid() ({ \
- ve_is_super(get_exec_env()) && \
- (capable(CAP_SYS_ADMIN) || \
- capable(CAP_VE_ADMIN)); \
- })
-
-/*
- * coinsides with CAP_AUDIT_CONTROL but we don't care, since
- * audit is disabled in Virtuozzo
- */
-#define CAP_VE_ADMIN 30
-
-#ifdef CONFIG_VE
-
-/* Replacement for CAP_NET_ADMIN:
- delegated rights to the Virtual environment of its network administration.
- For now the following rights have been delegated:
-
- Allow setting arbitrary process / process group ownership on sockets
- Allow interface configuration
- */
-#define CAP_VE_NET_ADMIN CAP_VE_ADMIN
-
-/* Replacement for CAP_SYS_ADMIN:
- delegated rights to the Virtual environment of its administration.
- For now the following rights have been delegated:
- */
-/* Allow mount/umount/remount */
-/* Allow examination and configuration of disk quotas */
-/* Allow removing semaphores */
-/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
- and shared memory */
-/* Allow locking/unlocking of shared memory segment */
-/* Allow forged pids on socket credentials passing */
-
-#define CAP_VE_SYS_ADMIN CAP_VE_ADMIN
-#else
-#define CAP_VE_NET_ADMIN CAP_NET_ADMIN
-#define CAP_VE_SYS_ADMIN CAP_SYS_ADMIN
-#endif
-#endif
-
/* Override MAC access.
The base kernel enforces no MAC policy.
An LSM may enforce a MAC policy, and if it does and it chooses
More information about the Devel
mailing list