[Devel] [PATCH RH9 23/28] ve/capability: introduce capable() wrapper which honors CT features
Andrey Zhadchenko
andrey.zhadchenko at virtuozzo.com
Thu Oct 14 13:33:31 MSK 2021
From: Konstantin Khorenko <khorenko at virtuozzo.com>
Containers might have special features which affect capabilities,
so here is a wrapper for code simplicity.
https://jira.sw.ru/browse/PSBM-94635
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
https://jira.sw.ru/browse/PSBM-127846
(cherry-picked from vz7 commit b64e08cf6ea0 ("ve/capability: introduce
capable() wrapper which honors CT features"))
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
(cherry picked from vz8 commit 0c6787703b466480564e5b841c1a28c35f376218)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
include/linux/capability.h | 1 +
kernel/capability.c | 12 ++++++++++++
2 files changed, 13 insertions(+)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 7761f5c..3986e57 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -254,6 +254,7 @@ bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
bool capable_wrt_inode_uidgid(struct user_namespace *mnt_userns,
const struct inode *inode, int cap);
extern bool ve_capable(int cap);
+extern bool feature_capable(int feature, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
static inline bool perfmon_capable(void)
diff --git a/kernel/capability.c b/kernel/capability.c
index 318ffb8..ac990f4 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -433,6 +433,13 @@ bool ve_capable_noaudit(int cap)
return ret;
}
+bool feature_capable(int feature, int cap)
+{
+ if (get_exec_env()->features & feature)
+ return ve_capable(cap);
+ else
+ return capable(cap);
+}
#else
bool ve_capable(int cap)
{
@@ -443,6 +450,11 @@ bool ve_capable_noaudit(int cap)
{
return ns_capable_noaudit(&init_user_ns, cap);
}
+
+bool feature_capable(int feature, int cap)
+{
+ return capable(cap);
+}
#endif
EXPORT_SYMBOL_GPL(ve_capable);
EXPORT_SYMBOL_GPL(ve_capable_noaudit);
--
1.8.3.1
More information about the Devel
mailing list