[Devel] [PATCH RHEL COMMIT] ve/net/cred: add ve_capable to check capabilities relative to the current VE (v2)

Fri Sep 24 14:50:18 MSK 2021

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit b84cc03cec2de1babfabd494620e6dfbc3aec24b
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Fri Sep 24 14:50:17 2021 +0300

    ve/net/cred: add ve_capable to check capabilities relative to the current VE (v2)
    
    We want to allow a few operations in VE. Currently we use nsown_capable,
    but it's wrong, because in this case we allow these operations in any
    user namespace.
    
    v2: take ve0->cred if the currect ve isn't running
    
    https://jira.sw.ru/browse/PSBM-39077
    
    Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
    
    https://jira.sw.ru/browse/PSBM-133986
    
    (cherry picked from commit 995390f5a1b3a377d27c59a28e0c5c613d01fc46)
    Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
---
 net/ipv6/sit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 9344ba77d0df..bf12540bbd6a 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -326,7 +326,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ifreq *ifr)
 	/* For simple GET or for root users,
 	 * we try harder to allocate.
 	 */
-	kp = (cmax <= 1 || capable(CAP_NET_ADMIN)) ?
+	kp = (cmax <= 1 || ve_capable(CAP_NET_ADMIN)) ?
 		kcalloc(cmax, sizeof(*kp), GFP_KERNEL | __GFP_NOWARN) :
 		NULL;
 
