[Devel] [PATCH RHEL COMMIT] ve/block: add ve_capable to check capabilities relative to the current VE
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Sep 24 15:48:49 MSK 2021
The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit f38f891e2f30fbdc07907bd08d323c65600dd793
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date: Fri Sep 24 15:48:48 2021 +0300
ve/block: add ve_capable to check capabilities relative to the current VE
We want to allow a few operations in VE. Currently we use nsown_capable,
but it's wrong, because in this case we allow these operations in any
user namespace.
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
(cherry picked from vz8 commit 1fc32ea21100b02b6d046bb60aa938ce04b41f0d)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
block/ioprio.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/block/ioprio.c b/block/ioprio.c
index bee628f9f1b2..06b1b0303392 100644
--- a/block/ioprio.c
+++ b/block/ioprio.c
@@ -42,7 +42,7 @@ int set_task_ioprio(struct task_struct *task, int ioprio)
rcu_read_lock();
tcred = __task_cred(task);
if (!uid_eq(tcred->uid, cred->euid) &&
- !uid_eq(tcred->uid, cred->uid) && !capable(CAP_SYS_NICE)) {
+ !uid_eq(tcred->uid, cred->uid) && !ve_capable(CAP_SYS_NICE)) {
rcu_read_unlock();
return -EPERM;
}
@@ -69,7 +69,7 @@ int ioprio_check_cap(int ioprio)
switch (class) {
case IOPRIO_CLASS_RT:
- if (!capable(CAP_SYS_NICE) && !capable(CAP_SYS_ADMIN))
+ if (!ve_capable(CAP_SYS_NICE) && !ve_capable(CAP_SYS_ADMIN))
return -EPERM;
fallthrough;
/* rt has prio field too */
More information about the Devel
mailing list