[Devel] [PATCH RHEL7 COMMIT] ve/cgroup: Allow to write to several safe cgroup files from CT
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Mar 24 09:15:32 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit 0f9d484e6a6378d98a880861ee39467118bcd6c9
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Thu Mar 24 20:15:32 2016 +0400
ve/cgroup: Allow to write to several safe cgroup files from CT
Add flag CFTYPE_VEWRITABLE to identify cgroup files writable in CT.
File memory.use_hierarchy is safe to set in CT and needed by
systemd, it only makes memory cgroup accounting fully hierarchic.
Files tasks and cgroup.procs are needed to move tasks to top CT
cgroups - that is also safe.
https://jira.sw.ru/browse/PSBM-44981
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
kgorkunov@: procs are safe 'cause from inside of container we don't have
access to nother pid namespaces.
---
include/linux/cgroup.h | 1 +
kernel/cgroup.c | 5 ++++-
mm/memcontrol.c | 2 +-
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index ed5e6ac..aad06e8 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -416,6 +416,7 @@ struct cgroup_map_cb {
#define CFTYPE_ONLY_ON_ROOT (1U << 0) /* only create on root cg */
#define CFTYPE_NOT_ON_ROOT (1U << 1) /* don't create on root cg */
#define CFTYPE_INSANE (1U << 2) /* don't create if sane_behavior */
+#define CFTYPE_VE_WRITABLE (1U << 15) /* allow write from CT */
#define MAX_CFTYPE_NAME 64
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index fa4eeb5..5afeb59b 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2413,7 +2413,8 @@ static ssize_t cgroup_file_write(struct file *file, const char __user *buf,
*/
if (!ve_is_super(get_exec_env())
&& (!cgrp->parent || !cgrp->parent->parent)
- && !get_exec_env()->is_pseudosuper)
+ && !get_exec_env()->is_pseudosuper
+ && !(cft->flags & CFTYPE_VE_WRITABLE))
return -EPERM;
#endif
@@ -4065,6 +4066,7 @@ static int cgroup_clone_children_write(struct cgroup *cgrp,
static struct cftype files[] = {
{
.name = "tasks",
+ .flags = CFTYPE_VE_WRITABLE,
.open = cgroup_tasks_open,
.write_u64 = cgroup_tasks_write,
.release = cgroup_pidlist_release,
@@ -4072,6 +4074,7 @@ static struct cftype files[] = {
},
{
.name = CGROUP_FILE_GENERIC_PREFIX "procs",
+ .flags = CFTYPE_VE_WRITABLE,
.open = cgroup_procs_open,
.write_u64 = cgroup_procs_write,
.release = cgroup_pidlist_release,
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index af39f25..9ccc808 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -6225,7 +6225,7 @@ static struct cftype mem_cgroup_files[] = {
},
{
.name = "use_hierarchy",
- .flags = CFTYPE_INSANE,
+ .flags = CFTYPE_INSANE | CFTYPE_VE_WRITABLE,
.write_u64 = mem_cgroup_hierarchy_write,
.read_u64 = mem_cgroup_hierarchy_read,
},
More information about the Devel
mailing list