[Devel] [PATCH rh9 v3] cgroup-v1: Allow setting release_agent from root Container user_ns

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Fri May 27 19:44:39 MSK 2022 

On 27.05.2022 18:22, Konstantin Khorenko wrote:
> ms commit 24f600856418 ("cgroup-v1: Require capabilities to set
> release_agent") restricts release_agent configuration to init user_ns
> only.
> 
> Release agent is virtualialized per-Container, so
> allow to configure it from top CT userns as well.
> 
> We need both checks here because CRIU during restore stage
> configures release agent while being in init_user_ns and
> in non-root ve cgroup.
> 
> https://jira.sw.ru/browse/PSBM-140174
> 

Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> Feature: cgroup: per-CT cgroup release_agent
> ---
> v2: added the check for init_user_ns - for the CRIU's sake
> v3: copy-paste typo fixed
> 
>   kernel/cgroup/cgroup-v1.c | 19 ++++++++++++++++---
>   1 file changed, 16 insertions(+), 3 deletions(-)
> 
> diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
> index f321e6691c46..002530f808f1 100644
> --- a/kernel/cgroup/cgroup-v1.c
> +++ b/kernel/cgroup/cgroup-v1.c
> @@ -554,10 +554,20 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of,
>   	/*
>   	 * Release agent gets called with all capabilities,
>   	 * require capabilities to set release agent.
> +	 *
> +	 * Release agent is virtualialized per-Container, so
> +	 * allow to configure it from top CT userns as well.
> +	 *
> +	 * We need both checks here because CRIU during restore stage
> +	 * configures release agent while being in init_user_ns and
> +	 * in non-root ve cgroup.
>   	 */
> -	if ((of->file->f_cred->user_ns != &init_user_ns) ||
> -	    !capable(CAP_SYS_ADMIN))
> +	if (((of->file->f_cred->user_ns != &init_user_ns) ||
> +             !capable(CAP_SYS_ADMIN)) &&
> +	    ((of->file->f_cred->user_ns != ve_init_user_ns()) ||
> +	     !ve_capable(CAP_SYS_ADMIN))) {
>   		return -EPERM;
> +	}
>   
>   	cgrp = cgroup_kn_lock_live(of->kn, false);
>   	if (!cgrp)
> @@ -1089,7 +1099,10 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
>   		 * Release agent gets called with all capabilities,
>   		 * require capabilities to set release agent.
>   		 */
> -		if ((fc->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))
> +		if (((fc->user_ns != &init_user_ns) ||
> +		     !capable(CAP_SYS_ADMIN)) &&
> +		    ((fc->user_ns != ve_init_user_ns()) ||
> +		     !ve_capable(CAP_SYS_ADMIN)))
>   			return invalfc(fc, "Setting release_agent not allowed");
>   		ctx->release_agent = param->string;
>   		param->string = NULL;

-- 
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.

More information about the Devel mailing list