[Devel] [PATCH RHEL7 COMMIT] ve: allow to do anything from init_user_ns

Konstantin Khorenko khorenko at virtuozzo.com
Tue Jul 25 14:42:45 MSK 2017


The commit is pushed to "branch-rh7-3.10.0-514.26.1.vz7.33.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.26.1.vz7.33.16
------>
commit 9fb114c3d11eef3af7ee33ca51693fbe6d1ab7b7
Author: Andrei Vagin <avagin at virtuozzo.com>
Date:   Tue Jul 25 15:42:44 2017 +0400

    ve: allow to do anything from init_user_ns
    
    current_user_ns_initial() is used to restrict operations,
    which are allowed in a ve initial userns, but aren't allowed
    in sub-user-namespaces. But now this function doesn't take
    into account init_user_ns. init user_ns is a root item in the
    hierarchy of user namespaces, so it is actually initiall
    for ve-s. The upstream kernel allow to do anything from
    init_user_ns, and we don't want to change this behaviour.
    
    https://jira.sw.ru/browse/PSBM-58574
    
    Cc: Kirill Tkhai <ktkhai at virtuozzo.com>
    Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
    Acked-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
---
 kernel/ve/ve.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index df2c3d9..140f160 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -241,6 +241,9 @@ bool current_user_ns_initial(void)
 	struct ve_struct *ve = get_exec_env();
 	bool ret = false;
 
+	if (current_user_ns() == &init_user_ns)
+		return true;
+
 	rcu_read_lock();
 	if (ve->ve_ns && ve->init_cred->user_ns == current_user_ns())
 		ret = true;


More information about the Devel mailing list