[Devel] [PATCH RH9 09/22] ve/fs: namespace -- Ignore device permissions during restore

Andrey Zhadchenko andrey.zhadchenko at virtuozzo.com
Thu Oct 7 13:57:33 MSK 2021 

From: Cyrill Gorcunov <gorcunov at virtuozzo.com>

To support several storage backends (ploops) inside container
we've hacks in libvzctl which setup "old" permissions when
restore procedure initiated. But the former idea was simply
allow CRIU to do all the works and restore ploops mounts
by its own (since CRIU fetches all mount options and such).

For this sake we turn off mount options filtering provisionally
if @is_pseudosuper is set, and CRIU restore mounts as regular
ones.

https://jira.sw.ru/browse/PSBM-48188

Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>

CC: Igor Sukhih <igor at virtuozzo.com>
CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>

===========================================
VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127782
vz7 commit: fde61cc ("ve/fs: namespace -- Ignore device permissions during
restore")

Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>

+++
ve/devmnt: fix ignore device permissions for pseudosuper

Imagine we have
 1) ve->is_pseudosuper == true
 2) err returned from ve_devmnt_check == -EPERM
 3) remount == true

In this case ((ve->is_pseudosuper || !err) && !remount) == false, and
thus "err = ve_devmnt_insert" is not called, meaning that err remains
-EPERM, and ve_devmnt_process fails with -EPERM. Would be more logical
to just ignore error from ve_devmnt_check setting err to 0 as if
ve_devmnt_check passed with no error.

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

(cherry picked from vz8 commit 36402d1e135cdb29775ab67708bc021886baf19f)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/namespace.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/namespace.c b/fs/namespace.c
index 7af19eb..cead63d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2730,6 +2730,13 @@ int ve_devmnt_process(struct ve_struct *ve, dev_t dev, void **data_pp, int remou
 	list_for_each_entry(devmnt, &ve->devmnt_list, link) {
 		if (devmnt->dev == dev) {
 			err = ve_devmnt_check(data, devmnt->allowed_options);
+			/*
+			 * In case of @is_pseudouser set, ie restore procedure,
+			 * we don't check for allowed options filtering, since
+			 * restore mode is special.
+			 */
+			if (ve->is_pseudosuper)
+				err = 0;
 
 			if (!err && !remount)
 				err = ve_devmnt_insert(data, devmnt->hidden_options);
-- 
1.8.3.1

More information about the Devel mailing list