[Devel] [PATCH RHEL8 COMMIT] ve/capability: introduce capable() wrapper which honors CT features

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jun 18 15:13:52 MSK 2021 

The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.45
------>
commit aaa64b8b7c4cfb29c11cb0a28d9f31559521a5ad
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Fri Jun 18 15:13:52 2021 +0300

    ve/capability: introduce capable() wrapper which honors CT features
    
    Containers might have special features which affect capabilities,
    so here is a wrapper for code simplicity.
    
    https://jira.sw.ru/browse/PSBM-94635
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    https://jira.sw.ru/browse/PSBM-127846
    (cherry-picked from vz7 commit b64e08cf6ea0 ("ve/capability: introduce
    capable() wrapper which honors CT features"))
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/linux/capability.h |  1 +
 kernel/capability.c        | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 20f4cc2f81d7..2cd6cc8ead53 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -243,6 +243,7 @@ static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap)
 }
 #endif /* CONFIG_MULTIUSER */
 extern bool ve_capable(int cap);
+extern bool feature_capable(int feature, int cap);
 extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode);
 extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
 extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
diff --git a/kernel/capability.c b/kernel/capability.c
index aefb33a090de..5f1c6cb2af07 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -417,11 +417,24 @@ bool ve_capable(int cap)
 
 	return ret;
 }
+
+bool feature_capable(int feature, int cap)
+{
+	if (get_exec_env()->features & feature)
+		return ve_capable(cap);
+	else
+		return capable(cap);
+}
 #else
 bool ve_capable(int cap)
 {
 	return capable(cap);
 }
+
+bool feature_capable(int feature, int cap)
+{
+	return capable(cap);
+}
 #endif
 EXPORT_SYMBOL_GPL(ve_capable);

More information about the Devel mailing list