[Devel] [PATCH RHEL7 COMMIT] prctl: reduce requirements to exe link change
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Jul 5 12:57:12 MSK 2017
The commit is pushed to "branch-rh7-3.10.0-514.26.1.vz7.33.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.26.1.vz7.33.1
------>
commit e899ae0ef5cad26565b58abc994f62e5682067a4
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date: Wed Jul 5 13:57:12 2017 +0400
prctl: reduce requirements to exe link change
Do not request for CAP_SYS_RESOURCE anymore to change exe link.
This is needed to allow spfs manager to change it in unprivileged process.
In case of CRIU this restriction wasn't a problem, since CRIU is a priviledged
process and drops capabilities _after_ exe link change.
But then spfs manager is not able to do the same thing for unpriviledged
process.
We are not going to push NFS to upstream anymore. And thus can relax
requirements in our kernel.
Note: this limitation is somewhat strange, because exe link can be changed
upon execve system call.
https://jira.sw.ru/browse/PSBM-50867
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>
khorenko@: this allows to migrate online unprivileged processes which binaries
lay on an NFS volume.
---
kernel/sys.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/sys.c b/kernel/sys.c
index 9a681ae..f8f1dd9 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2329,12 +2329,12 @@ static int prctl_set_mm(int opt, unsigned long addr,
return prctl_set_mm_map(opt, (const void __user *)addr, arg4);
#endif
- if (!ve_capable(CAP_SYS_RESOURCE))
- return -EPERM;
-
if (opt == PR_SET_MM_EXE_FILE)
return prctl_set_mm_exe_file(mm, (unsigned int)addr);
+ if (!ve_capable(CAP_SYS_RESOURCE))
+ return -EPERM;
+
if (opt == PR_SET_MM_AUXV)
return prctl_set_auxv(mm, addr, arg4);
More information about the Devel
mailing list