[Devel] [PATCH RH9 07/16] introduce ve_net_hide_sysctl helper

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Tue Sep 28 15:40:57 MSK 2021 

From: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>

This will be used to check if we need to hide per-net sysctls.

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

+++
ve/sysctl/nf_conntrack: allow expose of priviledged sysctl inside containers

Series:
This series brings to vz7 all the nf_conntrack sysctl's,
which are available in vz6.

https://jira.sw.ru/browse/PSBM-40044

Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>

+++
ve/nf_conntrack: export nf_conntrack_hide_sysctl() helper

From: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>

Series:
This series brings to vz7 all the nf_conntrack sysctl's,
which are available in vz6.

https://jira.sw.ru/browse/PSBM-40044

Will be used for other tables

Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>

+++
ve/sysctl/net: move and rename *_hide_sysctl helper to ve.c

Make it general for all net sysctls, will be use in next patch.

https://jira.sw.ru/browse/PSBM-54530

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Cyrill Gorcunov <gorcunov at openvz.org>

(cherry picked from commit c174b55d665b0d3edcf6445fe6279e7b081beb31)
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>

+++
ve/sysctl/netfilter: Include ve.h header into net/netfilter/nf_conntrack_standalone.c

It's required for ve_net_hide_sysctl() declaration.

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>

Change in vz9:

We don't need ve_net_hide_sysctl in nf_conntrack_standalone_init_sysctl
as there is no more userns check in it in mainstream, so what is left
from this patch is only ve_net_hide_sysctl declaration. See 2671fa4dc010
("netfilter: conntrack: Make global sysctls readonly in non-init netns")
Also rename the patch accordingly.

(cherry picked from vz8 commit 379d9b479b8976a3cf845286089d9ef89ed2ae89)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/linux/ve.h |  2 ++
 kernel/ve/ve.c     | 16 ++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/include/linux/ve.h b/include/linux/ve.h
index 18d52c6c63cf..bed0c186ac80 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -95,6 +95,8 @@ extern struct cgroup *cgroup_get_ve_root1(struct cgroup *cgrp);
 extern int vz_security_family_check(struct net *net, int family, int type);
 extern int vz_security_protocol_check(struct net *net, int protocol);
 
+int ve_net_hide_sysctl(struct net *net);
+
 #else	/* CONFIG_VE */
 #define get_ve(ve)	(NULL)
 #define put_ve(ve)	do { } while (0)
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 75299258d677..ba5c6e240633 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -214,6 +214,22 @@ struct user_namespace *ve_init_user_ns(void)
 }
 EXPORT_SYMBOL(ve_init_user_ns);
 
+int ve_net_hide_sysctl(struct net *net)
+{
+	/*
+	 * This can happen only on VE creation, when process created VE cgroup,
+	 * and clones a child with new network namespace.
+	 */
+	if (net->owner_ve->init_cred == NULL)
+		return 0;
+
+	/*
+	 * Expose sysctl only for container's init user namespace
+	 */
+	return net->user_ns != net->owner_ve->init_cred->user_ns;
+}
+EXPORT_SYMBOL(ve_net_hide_sysctl);
+
 int nr_threads_ve(struct ve_struct *ve)
 {
         return cgroup_task_count(ve->css.cgroup);
-- 
2.31.1

More information about the Devel mailing list