[Devel] [PATCH] ve: allow to do anything from init_user_ns
Andrei Vagin
avagin at openvz.org
Mon Jul 24 23:55:55 MSK 2017
From: Andrei Vagin <avagin at virtuozzo.com>
current_user_ns_initial() is used to restrict operations,
which are allowed in a ve initial userns, but aren't allowed
in sub-user-namespaces. But now this function doesn't take
into account init_user_ns. init user_ns is a root item in the
hierarchy of user namespaces, so it is actually initiall
for ve-s. The upstream kernel allow to do anything from
init_user_ns, and we don't want to change this behaviour.
https://jira.sw.ru/browse/PSBM-58574
Cc: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Cc: Kirill Tkhai <ktkhai at virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
---
kernel/ve/ve.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 0533d79..e95b3f3 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -241,6 +241,9 @@ bool current_user_ns_initial(void)
struct ve_struct *ve = get_exec_env();
bool ret = false;
+ if (current_user_ns() == &init_user_ns)
+ return true;
+
rcu_read_lock();
if (ve->ve_ns && ve->init_cred->user_ns == current_user_ns())
ret = true;
--
1.8.3.1
More information about the Devel
mailing list