[Devel] [PATCH RHEL7 COMMIT] prctl: reduce requirements to exe link change

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jul 5 12:57:12 MSK 2017


The commit is pushed to "branch-rh7-3.10.0-514.26.1.vz7.33.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.26.1.vz7.33.1
------>
commit e899ae0ef5cad26565b58abc994f62e5682067a4
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date:   Wed Jul 5 13:57:12 2017 +0400

    prctl: reduce requirements to exe link change
    
    Do not request for CAP_SYS_RESOURCE anymore to change exe link.
    This is needed to allow spfs manager to change it in unprivileged process.
    In case of CRIU this restriction wasn't a problem, since CRIU is a priviledged
    process and drops capabilities _after_ exe link change.
    But then spfs manager is not able to do the same thing for unpriviledged
    process.
    We are not going to push NFS to upstream anymore. And thus can relax
    requirements in our kernel.
    Note: this limitation is somewhat strange, because exe link can be changed
    upon execve system call.
    
    https://jira.sw.ru/browse/PSBM-50867
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
    Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    khorenko@: this allows to migrate online unprivileged processes which binaries
    lay on an NFS volume.
---
 kernel/sys.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kernel/sys.c b/kernel/sys.c
index 9a681ae..f8f1dd9 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2329,12 +2329,12 @@ static int prctl_set_mm(int opt, unsigned long addr,
 		return prctl_set_mm_map(opt, (const void __user *)addr, arg4);
 #endif
 
-	if (!ve_capable(CAP_SYS_RESOURCE))
-		return -EPERM;
-
 	if (opt == PR_SET_MM_EXE_FILE)
 		return prctl_set_mm_exe_file(mm, (unsigned int)addr);
 
+	if (!ve_capable(CAP_SYS_RESOURCE))
+		return -EPERM;
+
 	if (opt == PR_SET_MM_AUXV)
 		return prctl_set_auxv(mm, addr, arg4);
 


More information about the Devel mailing list