[Devel] [PATCH RHEL7 COMMIT] ve/net/core: allow to call setsockopt(SO_RCVBUFFORCE) from Containers
Vasily Averin
vvs at virtuozzo.com
Tue Dec 15 12:30:04 MSK 2020
The commit is pushed to "branch-rh7-3.10.0-1160.6.1.vz7.171.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.6.1.vz7.171.4
------>
commit bd3e846de350fcff5cfdcd6133adb7c610b3a4af
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Tue Dec 15 12:30:04 2020 +0300
ve/net/core: allow to call setsockopt(SO_RCVBUFFORCE) from Containers
"nft" util (in CentOS 8 environment) does use setsockopt(SO_RCVBUFFORCE)
unconditionally, so we have to allow it from inside a Container.
At the same time we don't want to allow a Container to set too much
memory for a socket, so just threat SO_RCVBUFFORCE like SO_RCVBUF if
called inside a Container.
Simple rule to test:
# NFT=/usr/sbin/nft ./run-tests.sh -v -g testcases/nft-f/0011manydefines_0
which fails inside a Container because of not enough rcb buffer because
of failed
setsockopt(3, SOL_SOCKET, SO_RCVBUFFORCE, [10561584], 4) = -1
EPERM (Operation not permitted)
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
net/core/sock.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index 07ea42f..44e91c8 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -793,6 +793,7 @@ set_sndbuf:
goto set_sndbuf;
case SO_RCVBUF:
+unpriv_rcvbuf:
/* Don't error on this BSD doesn't and if you think
* about it this is right. Otherwise apps have to
* play 'guess the biggest size' games. RCVBUF/SNDBUF
@@ -824,11 +825,15 @@ set_rcvbuf:
break;
case SO_RCVBUFFORCE:
- if (!capable(CAP_NET_ADMIN)) {
+ if (!ve_capable(CAP_NET_ADMIN)) {
ret = -EPERM;
break;
}
+ /* nft utility uses this sockopt in CentOS 8 env */
+ if (!ve_is_super(get_exec_env()))
+ goto unpriv_rcvbuf;
+
/* No negative values (to prevent underflow, as val will be
* multiplied by 2).
*/
More information about the Devel
mailing list