[Devel] [PATCH RH9 25/33] ve/block: add ve_capable to check capabilities relative to the current VE
Andrey Zhadchenko
andrey.zhadchenko at virtuozzo.com
Thu Sep 23 22:08:28 MSK 2021
From: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
We want to allow a few operations in VE. Currently we use nsown_capable,
but it's wrong, because in this case we allow these operations in any
user namespace.
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
(cherry picked from vz8 commit 1fc32ea21100b02b6d046bb60aa938ce04b41f0d)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
block/ioprio.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/block/ioprio.c b/block/ioprio.c
index bee628f..06b1b03 100644
--- a/block/ioprio.c
+++ b/block/ioprio.c
@@ -42,7 +42,7 @@ int set_task_ioprio(struct task_struct *task, int ioprio)
rcu_read_lock();
tcred = __task_cred(task);
if (!uid_eq(tcred->uid, cred->euid) &&
- !uid_eq(tcred->uid, cred->uid) && !capable(CAP_SYS_NICE)) {
+ !uid_eq(tcred->uid, cred->uid) && !ve_capable(CAP_SYS_NICE)) {
rcu_read_unlock();
return -EPERM;
}
@@ -69,7 +69,7 @@ int ioprio_check_cap(int ioprio)
switch (class) {
case IOPRIO_CLASS_RT:
- if (!capable(CAP_SYS_NICE) && !capable(CAP_SYS_ADMIN))
+ if (!ve_capable(CAP_SYS_NICE) && !ve_capable(CAP_SYS_ADMIN))
return -EPERM;
fallthrough;
/* rt has prio field too */
--
1.8.3.1
More information about the Devel
mailing list