[Devel] [PATCH RH7 1/2] cgroup: prohibit access to toplevel cgroup in CT

Mon Mar 21 06:54:40 PDT 2016

To allow write access to top-level cgroup e.g. on CT start and resume
one need to enable ve.pseudosuper, appropriate patch sent to libvzctl.

libvzctl pull request:
https://src.openvz.org/projects/OVZ/repos/libvzctl/pull-requests/50/

https://jira.sw.ru/browse/PSBM-44981
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 kernel/cgroup.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 3bc12e4..fa4eeb5 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2411,10 +2411,10 @@ static ssize_t cgroup_file_write(struct file *file, const char __user *buf,
 	 * userspace from ve0 should *never* bindmount it
 	 * inside a container FS.
 	 */
-	if (!ve_is_super(get_exec_env())) {
-		if (!cgrp->parent || !cgrp->parent->parent)
-			pr_warn_once("FIXME: Write into toplevel cgroup, restore?");
-	}
+	if (!ve_is_super(get_exec_env())
+	    && (!cgrp->parent || !cgrp->parent->parent)
+	    && !get_exec_env()->is_pseudosuper)
+		return -EPERM;
 #endif
 
 	if (cgroup_is_removed(cgrp))
-- 
1.9.3

