[Devel] [PATCH RH7 1/2] ve/sysctl/net: move and rename *_hide_sysctl to ve.c

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Wed Mar 22 09:30:01 PDT 2017 

make it general for all net sysctls, will use in next patch

https://jira.sw.ru/browse/PSBM-54530

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/linux/ve.h                        |  2 ++
 include/net/netfilter/nf_conntrack_core.h |  2 --
 kernel/ve/ve.c                            | 16 ++++++++++++++++
 net/netfilter/nf_conntrack_acct.c         |  2 +-
 net/netfilter/nf_conntrack_ecache.c       |  2 +-
 net/netfilter/nf_conntrack_standalone.c   | 24 ++----------------------
 6 files changed, 22 insertions(+), 26 deletions(-)

diff --git a/include/linux/ve.h b/include/linux/ve.h
index 708c6d3..2d8eca6 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -219,6 +219,8 @@ void ve_exit_ns(struct pid_namespace *ns);
 extern bool current_user_ns_initial(void);
 struct user_namespace *ve_init_user_ns(void);
 
+int ve_net_hide_sysctl(struct net *net);
+
 #ifdef CONFIG_TTY
 #define MAX_NR_VTTY_CONSOLES	(12)
 extern struct tty_driver *vtty_driver(dev_t dev, int *index);
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index c029b52..879b7ab 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -39,8 +39,6 @@ void nf_conntrack_cleanup_start(void);
 void nf_conntrack_init_end(void);
 void nf_conntrack_cleanup_end(void);
 
-int nf_conntrack_hide_sysctl(struct net *net);
-
 bool nf_ct_get_tuple(const struct sk_buff *skb, unsigned int nhoff,
 		     unsigned int dataoff, u_int16_t l3num, u_int8_t protonum,
 		     struct nf_conntrack_tuple *tuple,
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index a17b048..d6bd70d 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -259,6 +259,22 @@ struct user_namespace *ve_init_user_ns(void)
 }
 EXPORT_SYMBOL(ve_init_user_ns);
 
+int ve_net_hide_sysctl(struct net *net)
+{
+	/*
+	 * This can happen only on VE creation, when process created VE cgroup,
+	 * and clones a child with new network namespace.
+	 */
+	if (net->owner_ve->init_cred == NULL)
+		return 0;
+
+	/*
+	 * Expose sysctl only for container's init user namespace
+	 */
+	return net->user_ns != net->owner_ve->init_cred->user_ns;
+}
+EXPORT_SYMBOL(ve_net_hide_sysctl);
+
 int nr_threads_ve(struct ve_struct *ve)
 {
 	return cgroup_task_count(ve->css.cgroup);
diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c
index e35af92..363866f 100644
--- a/net/netfilter/nf_conntrack_acct.c
+++ b/net/netfilter/nf_conntrack_acct.c
@@ -71,7 +71,7 @@ static int nf_conntrack_acct_init_sysctl(struct net *net)
 	table[0].data = &net->ct.sysctl_acct;
 
 	/* Don't export sysctls to unprivileged users */
-	if (nf_conntrack_hide_sysctl(net))
+	if (ve_net_hide_sysctl(net))
 		table[0].procname = NULL;
 
 	net->ct.acct_sysctl_header = register_net_sysctl(net, "net/netfilter",
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index c605daa..a82b7f7 100644
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -199,7 +199,7 @@ static int nf_conntrack_event_init_sysctl(struct net *net)
 	table[1].data = &net->ct.sysctl_events_retry_timeout;
 
 	/* Don't export sysctls to unprivileged users */
-	if (nf_conntrack_hide_sysctl(net))
+	if (ve_net_hide_sysctl(net))
 		table[0].procname = NULL;
 
 	net->ct.event_sysctl_header =
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 7d95af8..871e6ff 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -505,21 +505,6 @@ static struct ctl_table nf_ct_netfilter_table[] = {
 
 static int zero;
 
-int nf_conntrack_hide_sysctl(struct net *net)
-{
-	/*
-	 * This can happen only on VE creation, when process created VE cgroup,
-	 * and clones a child with new network namespace.
-	 */
-	if (net->owner_ve->init_cred == NULL)
-		return 0;
-
-	/*
-	 * Expose sysctl only for container's init user namespace
-	 */
-	return net->user_ns != net->owner_ve->init_cred->user_ns;
-}
-
 static int nf_conntrack_netfilter_init_sysctl(struct net *net)
 {
 	struct ctl_table *table;
@@ -532,7 +517,7 @@ static int nf_conntrack_netfilter_init_sysctl(struct net *net)
 	table[0].data = &net->ct.max;
 
 	/* Don't export sysctls to unprivileged users */
-	if (nf_conntrack_hide_sysctl(net))
+	if (ve_net_hide_sysctl(net))
 		table[0].procname = NULL;
 
 	net->ct.netfilter_header = register_net_sysctl(net, "net", table);
@@ -573,7 +558,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net)
 	table[5].data = &net->ct.expect_max;
 
 	/* Don't export sysctls to unprivileged users */
-	if (nf_conntrack_hide_sysctl(net))
+	if (ve_net_hide_sysctl(net))
 		table[0].procname = NULL;
 
 	if (!net_eq(net, &init_net)) {
@@ -603,11 +588,6 @@ static void nf_conntrack_standalone_fini_sysctl(struct net *net)
 	kfree(table);
 }
 #else
-int nf_conntrack_hide_sysctl(struct net *net)
-{
-	return 0;
-}
-
 static int nf_conntrack_netfilter_init_sysctl(struct net *net)
 {
 	return 0;
-- 
2.9.3

More information about the Devel mailing list