[Devel] [PATCH RHEL7 COMMIT] ve/net/netfilter/core: Don't allow container to crash the kernel.

Tue Oct 15 18:54:57 MSK 2019

The commit is pushed to "branch-rh7-3.10.0-1062.1.2.vz7.114.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1062.1.2.vz7.114.5
------>
commit ff6496ddc93042cf391b4ea039c9358bff019c4e
Author: Andrey Ryabinin <aryabinin at virtuozzo.com>
Date:   Tue Oct 15 18:54:55 2019 +0300

    ve/net/netfilter/core: Don't allow container to crash the kernel.
    
    The expression BUG_ON(!ve_is_super(get_exec_env())); basically
    says that we allow to crash the kernel if we are in container.
    This doesn't make any sense, remove this idiocy.
    
    https://jira.sw.ru/browse/PSBM-98211
    Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
 net/netfilter/core.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 4406dc135f42..e149910a5a2a 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -74,8 +74,6 @@ int nf_register_hook(struct nf_hook_ops *reg)
 	struct nf_hook_ops *elem;
 	int err;
 
-	BUG_ON(!ve_is_super(get_exec_env()));
-
 	err = mutex_lock_interruptible(&nf_hook_mutex);
 	if (err < 0)
 		return err;
@@ -94,8 +92,6 @@ EXPORT_SYMBOL(nf_register_hook);
 
 void nf_unregister_hook(struct nf_hook_ops *reg)
 {
-	BUG_ON(!ve_is_super(get_exec_env()));
-
 	mutex_lock(&nf_hook_mutex);
 	list_del_rcu(&reg->list);
 	mutex_unlock(&nf_hook_mutex);

