[Devel] [PATCH RH9 07/13] ve/security: device_cgroup -- Allow manage devices in @pseudosuper state
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Tue Sep 21 19:04:25 MSK 2021
From: Cyrill Gorcunov <gorcunov at virtuozzo.com>
When restoring containers with several disks it's more convenient
to mount device first and the setup permissions needed. So for this
sake we allow to escape device permissions testing inside VE only
if @pseudosuper state enabled.
https://jira.sw.ru/browse/PSBM-48421
CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>
CC: Andrey Vagin <avagin at openvz.org>
Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
(cherry-picked from vz8 commit a3621548b561554887087b281d52c98e039ab593)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
security/device_cgroup.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 04375df52fc9..3591e7144df4 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -14,6 +14,7 @@
#include <linux/slab.h>
#include <linux/rcupdate.h>
#include <linux/mutex.h>
+#include <linux/ve.h>
#ifdef CONFIG_CGROUP_DEVICE
@@ -822,8 +823,24 @@ static int devcgroup_legacy_check_permission(short type, u32 major, u32 minor,
minor, access);
rcu_read_unlock();
+#ifdef CONFIG_VE
+ /*
+ * When restoring container allow everything in
+ * pseudosuper state. We need this for early
+ * mounting of second ploop device. Still, don't
+ * change behaviour on the ve0.
+ */
+ if (!rc) {
+ struct ve_struct *ve = get_exec_env();
+
+ if (!ve_is_super(ve) && ve->is_pseudosuper)
+ return 0;
+ return -EPERM;
+ }
+#else
if (!rc)
return -EPERM;
+#endif
return 0;
}
--
2.31.1
More information about the Devel
mailing list