[Devel] [PATCH] ve: allow to do anything from init_user_ns

Mon Jul 24 23:59:15 MSK 2017

On Mon, Jul 24, 2017 at 11:55:55PM +0300, Andrei Vagin wrote:
> From: Andrei Vagin <avagin at virtuozzo.com>
> 
> current_user_ns_initial() is used to restrict operations,
> which are allowed in a ve initial userns, but aren't allowed
> in sub-user-namespaces. But now this function doesn't take
> into account init_user_ns. init user_ns is a root item in the
> hierarchy of user namespaces, so it is actually initiall
> for ve-s. The upstream kernel allow to do anything from
> init_user_ns, and we don't want to change this behaviour.
> 
> https://jira.sw.ru/browse/PSBM-58574

The previous link is wrong, here is a right one:
https://jira.sw.ru/browse/PSBM-68157

> 
> Cc: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
> Cc: Kirill Tkhai <ktkhai at virtuozzo.com>
> Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
> ---
>  kernel/ve/ve.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
> index 0533d79..e95b3f3 100644
> --- a/kernel/ve/ve.c
> +++ b/kernel/ve/ve.c
> @@ -241,6 +241,9 @@ bool current_user_ns_initial(void)
>  	struct ve_struct *ve = get_exec_env();
>  	bool ret = false;
>  
> +	if (current_user_ns() == &init_user_ns)
> +		return true;
> +
>  	rcu_read_lock();
>  	if (ve->ve_ns && ve->init_cred->user_ns == current_user_ns())
>  		ret = true;
> -- 
> 1.8.3.1
>