[Devel] [PATCH RHEL7 COMMIT] cgroup-v1: Allow setting release_agent from root Container user_ns

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jun 23 18:30:12 MSK 2022 

The commit is pushed to "branch-rh7-3.10.0-1160.66.1.vz7.188.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.66.1.el7
------>
commit ca56aa848deeac392f636e111bb9ff94d8fe0526
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Thu May 26 18:11:13 2022 +0300

    cgroup-v1: Allow setting release_agent from root Container user_ns
    
    ms commit 24f600856418 ("cgroup-v1: Require capabilities to set
    release_agent") restricts release_agent configuration to init user_ns
    only.
    
    Release agent is virtualialized per-Container, so
    allow to configure it from top CT userns as well.
    
    Note: CRIU during restore stage configures release agent while being
    in init_user_ns and in non-root ve cgroup but it's fine to skip
    independent check for "capable()", because if capable(CAP_SYS_ADMIN)
    is true than ve_capable(CAP_SYS_ADMIN) is also always true.
    
    https://jira.sw.ru/browse/PSBM-140752
    CVE-2022-0492
    https://jira.sw.ru/browse/RK-126
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    Feature: cgroup: per-CT cgroup release_agent
---
 kernel/cgroup.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 2ff160cbe1f0d..f2952d7c18dce 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1256,7 +1256,7 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts)
 			 * Release agent gets called with all capabilities,
 			 * require capabilities to set release agent.
 			 */
-			if (!capable(CAP_SYS_ADMIN))
+			if (!ve_capable(CAP_SYS_ADMIN))
 				return -EPERM;
 
 			opts->release_agent =
@@ -2573,7 +2573,7 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
 	 * Release agent gets called with all capabilities,
 	 * require capabilities to set release agent.
 	 */
-	if (!capable(CAP_SYS_ADMIN))
+	if (!ve_capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	if (!cgroup_lock_live_group(cgrp))

More information about the Devel mailing list