[Devel] [PATCH RH9 07/13] ve/security: device_cgroup -- Allow manage devices in @pseudosuper state

[Pavel Tikhomirov]

From: Cyrill Gorcunov <gorcunov at virtuozzo.com>

When restoring containers with several disks it's more convenient
to mount device first and the setup permissions needed. So for this
sake we allow to escape device permissions testing inside VE only
if @pseudosuper state enabled.

https://jira.sw.ru/browse/PSBM-48421

CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>
CC: Andrey Vagin <avagin at openvz.org>
Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>

(cherry-picked from vz8 commit a3621548b561554887087b281d52c98e039ab593)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 security/device_cgroup.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 04375df52fc9..3591e7144df4 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -14,6 +14,7 @@
 #include <linux/slab.h>
 #include <linux/rcupdate.h>
 #include <linux/mutex.h>
+#include <linux/ve.h>
 
 #ifdef CONFIG_CGROUP_DEVICE
 
@@ -822,8 +823,24 @@ static int devcgroup_legacy_check_permission(short type, u32 major, u32 minor,
 				     minor, access);
 	rcu_read_unlock();
 
+#ifdef CONFIG_VE
+	/*
+	 * When restoring container allow everything in
+	 * pseudosuper state. We need this for early
+	 * mounting of second ploop device. Still, don't
+	 * change behaviour on the ve0.
+	 */
+	if (!rc) {
+		struct ve_struct *ve = get_exec_env();
+
+		if (!ve_is_super(ve) && ve->is_pseudosuper)
+			return 0;
+		return -EPERM;
+	}
+#else
 	if (!rc)
 		return -EPERM;
+#endif
 
 	return 0;
 }
-- 
2.31.1