[Devel] [PATCH RH9 24/28] ve/time: introduce CT feature to allow setting date/time
Andrey Zhadchenko
andrey.zhadchenko at virtuozzo.com
Thu Oct 14 13:33:32 MSK 2021
From: Konstantin Khorenko <khorenko at virtuozzo.com>
Sometimes people would like to run ntp server inside trusted Containers,
so let's introduce an appropriate CT feature for that.
Note: time is NOT vistualized, so Container changes date/time of the
whole Node.
https://jira.sw.ru/browse/PSBM-94635
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
https://jira.sw.ru/browse/PSBM-127846
(cherry-picked from vz7 commit c6314aabd00d ("ve/time: introduce CT
feature to allow setting date/time"))
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
(cherry picked from vz8 commit c915b90b9db1eac28557fb0eadc4af2b9cb49c36)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
include/uapi/linux/vzcalluser.h | 1 +
security/commoncap.c | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/vzcalluser.h b/include/uapi/linux/vzcalluser.h
index 282b2b8..b04594d 100644
--- a/include/uapi/linux/vzcalluser.h
+++ b/include/uapi/linux/vzcalluser.h
@@ -47,6 +47,7 @@ struct vzctl_ve_configure {
#define VE_FEATURE_IPGRE (1ULL << 6)
#define VE_FEATURE_BRIDGE (1ULL << 7)
#define VE_FEATURE_NFSD (1ULL << 8)
+#define VE_FEATURE_TIME (1ULL << 9)
#define VE_FEATURES_OLD (VE_FEATURE_SYSFS)
#define VE_FEATURES_DEF (VE_FEATURE_SYSFS | VE_FEATURE_DEF_PERMS)
diff --git a/security/commoncap.c b/security/commoncap.c
index ae3799a..661ca91 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -25,6 +25,8 @@
#include <linux/binfmts.h>
#include <linux/personality.h>
+#include <uapi/linux/vzcalluser.h>
+
/*
* If a non-root user executes a setuid-root binary in
* !secure(SECURE_NOROOT) mode, then we raise capabilities.
@@ -110,7 +112,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
*/
int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
{
- if (!capable(CAP_SYS_TIME))
+ if (!feature_capable(VE_FEATURE_TIME, CAP_SYS_TIME))
return -EPERM;
return 0;
}
--
1.8.3.1
More information about the Devel
mailing list