[Devel] [PATCH RHEL7 COMMIT] ve/cgroup: Prohibit access to toplevel cgroups in CT
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Mar 24 09:15:32 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit 31fe0714d2e7d37991312e390d6e78e4827dcc74
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Thu Mar 24 20:15:32 2016 +0400
ve/cgroup: Prohibit access to toplevel cgroups in CT
To allow write access to top-level cgroup e.g. on CT start and resume
one need to enable ve.pseudosuper, appropriate patch sent to libvzctl.
libvzctl pull request:
https://src.openvz.org/projects/OVZ/repos/libvzctl/pull-requests/50/
(available in libvzctl-7.0.185)
https://jira.sw.ru/browse/PSBM-44981
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
---
kernel/cgroup.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 3bc12e4..fa4eeb5 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2411,10 +2411,10 @@ static ssize_t cgroup_file_write(struct file *file, const char __user *buf,
* userspace from ve0 should *never* bindmount it
* inside a container FS.
*/
- if (!ve_is_super(get_exec_env())) {
- if (!cgrp->parent || !cgrp->parent->parent)
- pr_warn_once("FIXME: Write into toplevel cgroup, restore?");
- }
+ if (!ve_is_super(get_exec_env())
+ && (!cgrp->parent || !cgrp->parent->parent)
+ && !get_exec_env()->is_pseudosuper)
+ return -EPERM;
#endif
if (cgroup_is_removed(cgrp))
More information about the Devel
mailing list