[Devel] [PATCH RHEL COMMIT] introduce ve_net_hide_sysctl helper
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Sep 28 19:31:07 MSK 2021
The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit a2d5c86be579cc70263b05583fd1c0b4c4179ab7
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date: Tue Sep 28 19:31:07 2021 +0300
introduce ve_net_hide_sysctl helper
This will be used to check if we need to hide per-net sysctls.
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
+++
ve/sysctl/nf_conntrack: allow expose of priviledged sysctl inside containers
Series:
This series brings to vz7 all the nf_conntrack sysctl's,
which are available in vz6.
https://jira.sw.ru/browse/PSBM-40044
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
+++
ve/nf_conntrack: export nf_conntrack_hide_sysctl() helper
From: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Series:
This series brings to vz7 all the nf_conntrack sysctl's,
which are available in vz6.
https://jira.sw.ru/browse/PSBM-40044
Will be used for other tables
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
+++
ve/sysctl/net: move and rename *_hide_sysctl helper to ve.c
Make it general for all net sysctls, will be use in next patch.
https://jira.sw.ru/browse/PSBM-54530
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Cyrill Gorcunov <gorcunov at openvz.org>
(cherry picked from commit c174b55d665b0d3edcf6445fe6279e7b081beb31)
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
+++
ve/sysctl/netfilter: Include ve.h header into net/netfilter/nf_conntrack_standalone.c
It's required for ve_net_hide_sysctl() declaration.
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Change in vz9:
We don't need ve_net_hide_sysctl in nf_conntrack_standalone_init_sysctl
as there is no more userns check in it in mainstream, so what is left
from this patch is only ve_net_hide_sysctl declaration. See 2671fa4dc010
("netfilter: conntrack: Make global sysctls readonly in non-init netns")
Also rename the patch accordingly.
(cherry picked from vz8 commit 379d9b479b8976a3cf845286089d9ef89ed2ae89)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
include/linux/ve.h | 2 ++
kernel/ve/ve.c | 16 ++++++++++++++++
2 files changed, 18 insertions(+)
diff --git a/include/linux/ve.h b/include/linux/ve.h
index f80dca3d3d84..30f4daa402f5 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -102,6 +102,8 @@ extern struct cgroup *cgroup_get_ve_root1(struct cgroup *cgrp);
extern int vz_security_family_check(struct net *net, int family, int type);
extern int vz_security_protocol_check(struct net *net, int protocol);
+int ve_net_hide_sysctl(struct net *net);
+
#else /* CONFIG_VE */
#define get_ve(ve) (NULL)
#define put_ve(ve) do { } while (0)
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 0d4ce249d1c2..df82b7577bc9 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -217,6 +217,22 @@ struct user_namespace *ve_init_user_ns(void)
}
EXPORT_SYMBOL(ve_init_user_ns);
+int ve_net_hide_sysctl(struct net *net)
+{
+ /*
+ * This can happen only on VE creation, when process created VE cgroup,
+ * and clones a child with new network namespace.
+ */
+ if (net->owner_ve->init_cred == NULL)
+ return 0;
+
+ /*
+ * Expose sysctl only for container's init user namespace
+ */
+ return net->user_ns != net->owner_ve->init_cred->user_ns;
+}
+EXPORT_SYMBOL(ve_net_hide_sysctl);
+
int nr_threads_ve(struct ve_struct *ve)
{
return cgroup_task_count(ve->css.cgroup);
More information about the Devel
mailing list