[Devel] [PATCH RHEL8 COMMIT] ve/time: introduce CT feature to allow setting date/time

Fri Jun 18 15:13:53 MSK 2021

The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.45
------>
commit 298e5af1b37222242db49589977d9e8985e137eb
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Fri Jun 18 15:13:53 2021 +0300

    ve/time: introduce CT feature to allow setting date/time
    
    Sometimes people would like to run ntp server inside trusted Containers,
    so let's introduce an appropriate CT feature for that.
    
    Note: time is NOT vistualized, so Container changes date/time of the
    whole Node.
    
    https://jira.sw.ru/browse/PSBM-94635
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    https://jira.sw.ru/browse/PSBM-127846
    (cherry-picked from vz7 commit c6314aabd00d ("ve/time: introduce CT
    feature to allow setting date/time"))
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/uapi/linux/vzcalluser.h | 1 +
 security/commoncap.c            | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/vzcalluser.h b/include/uapi/linux/vzcalluser.h
index a7f7268bdd80..19270bc24595 100644
--- a/include/uapi/linux/vzcalluser.h
+++ b/include/uapi/linux/vzcalluser.h
@@ -45,6 +45,7 @@ struct vzctl_ve_configure {
 #define VE_FEATURE_IPGRE	(1ULL << 6)
 #define VE_FEATURE_BRIDGE	(1ULL << 7)
 #define VE_FEATURE_NFSD		(1ULL << 8)
+#define VE_FEATURE_TIME		(1ULL << 9)
 
 #define VE_FEATURES_OLD		(VE_FEATURE_SYSFS)
 #define VE_FEATURES_DEF		(VE_FEATURE_SYSFS | VE_FEATURE_DEF_PERMS)
diff --git a/security/commoncap.c b/security/commoncap.c
index 6c3eeb696a43..3ef9e72a8f4f 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -30,6 +30,8 @@
 #include <linux/binfmts.h>
 #include <linux/personality.h>
 
+#include <uapi/linux/vzcalluser.h>
+
 /*
  * If a non-root user executes a setuid-root binary in
  * !secure(SECURE_NOROOT) mode, then we raise capabilities.
@@ -115,7 +117,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
  */
 int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
 {
-	if (!capable(CAP_SYS_TIME))
+	if (!feature_capable(VE_FEATURE_TIME, CAP_SYS_TIME))
 		return -EPERM;
 	return 0;
 }
