[Devel] [PATCH rh9] cgroup-v1: Allow setting release_agent from root Container user_ns
Konstantin Khorenko
khorenko at virtuozzo.com
Thu May 26 18:42:12 MSK 2022
ms commit 24f600856418 ("cgroup-v1: Require capabilities to set
release_agent") restricts release_agent configuration to init user_ns
only, so let's tune checks to allow release_agent configuration from top
Container user_ns as well as we have release_agent virtualized per-CT in
Virtuozzo kernel.
https://jira.sw.ru/browse/PSBM-140174
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Feature: cgroup: per-CT cgroup release_agent
---
kernel/cgroup/cgroup-v1.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index f321e6691c46..a9dc9c2004d4 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -555,8 +555,8 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of,
* Release agent gets called with all capabilities,
* require capabilities to set release agent.
*/
- if ((of->file->f_cred->user_ns != &init_user_ns) ||
- !capable(CAP_SYS_ADMIN))
+ if ((of->file->f_cred->user_ns != ve_init_user_ns()) ||
+ !ve_capable(CAP_SYS_ADMIN))
return -EPERM;
cgrp = cgroup_kn_lock_live(of->kn, false);
@@ -1089,7 +1089,8 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
* Release agent gets called with all capabilities,
* require capabilities to set release agent.
*/
- if ((fc->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))
+ if ((fc->user_ns != ve_init_user_ns()) ||
+ !ve_capable(CAP_SYS_ADMIN))
return invalfc(fc, "Setting release_agent not allowed");
ctx->release_agent = param->string;
param->string = NULL;
--
2.31.1
More information about the Devel
mailing list