[Devel] [PATCH RHEL8 COMMIT] ve/net/core: allow to call setsockopt(SO_SNDBUFFORCE) from Containers

Konstantin Khorenko khorenko at virtuozzo.com
Fri Nov 6 19:07:44 MSK 2020 

The commit is pushed to "work" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-193.6.3.vz8.4.16
------>
commit 87fdad3c1e3568f3ac26a65839bdc90409a22cdc
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Thu Oct 24 12:53:36 2019 +0300

    ve/net/core: allow to call setsockopt(SO_SNDBUFFORCE) from Containers
    
    "nft" util (in CentOS 8 environment) does use setsockopt(SO_SNDBUFFORCE)
    unconditionally, so we have to allow it from inside a Container.
    
    At the same time we don't want to allow a Container to set too much
    memory for a socket, so just threat SO_SNDBUFFORCE like SO_SNDBUF if
    called inside a Container.
    
    Simple rule to test:
     # nft add rule filter INPUT ct state related,established accept
    
    https://jira.sw.ru/browse/PSBM-98794
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    Acked-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
    
    (cherry picked from vz7 commit 8f3567b1f4af7d33c15856ae402ef2025909fd14)
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 net/core/sock.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/core/sock.c b/net/core/sock.c
index e493bde5a958..5a30c0f694dc 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -750,6 +750,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
 		sock_valbool_flag(sk, SOCK_BROADCAST, valbool);
 		break;
 	case SO_SNDBUF:
+unpriv_sndbuf:
 		/* Don't error on this BSD doesn't and if you think
 		 * about it this is right. Otherwise apps have to
 		 * play 'guess the biggest size' games. RCVBUF/SNDBUF
@@ -768,11 +769,15 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
 		break;
 
 	case SO_SNDBUFFORCE:
-		if (!capable(CAP_NET_ADMIN)) {
+		if (!ve_capable(CAP_NET_ADMIN)) {
 			ret = -EPERM;
 			break;
 		}
 
+		/* nft utility uses this sockopt in CentOS 8 env */
+		if (!ve_is_super(get_exec_env()))
+			goto unpriv_sndbuf;
+
 		/* No negative values (to prevent underflow, as val will be
 		 * multiplied by 2).
 		 */

More information about the Devel mailing list