[Devel] [PATCH] ve: allow to do anything from init_user_ns

[Andrei Vagin]

From: Andrei Vagin <avagin at virtuozzo.com>

current_user_ns_initial() is used to restrict operations,
which are allowed in a ve initial userns, but aren't allowed
in sub-user-namespaces. But now this function doesn't take
into account init_user_ns. init user_ns is a root item in the
hierarchy of user namespaces, so it is actually initiall
for ve-s. The upstream kernel allow to do anything from
init_user_ns, and we don't want to change this behaviour.

https://jira.sw.ru/browse/PSBM-58574

Cc: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Cc: Kirill Tkhai <ktkhai at virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
---
 kernel/ve/ve.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 0533d79..e95b3f3 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -241,6 +241,9 @@ bool current_user_ns_initial(void)
 	struct ve_struct *ve = get_exec_env();
 	bool ret = false;
 
+	if (current_user_ns() == &init_user_ns)
+		return true;
+
 	rcu_read_lock();
 	if (ve->ve_ns && ve->init_cred->user_ns == current_user_ns())
 		ret = true;
-- 
1.8.3.1