[Devel] [PATCH RHEL9 COMMIT] cgroup-v1: Allow setting release_agent from root Container user_ns

Konstantin Khorenko khorenko at virtuozzo.com
Mon May 30 12:55:32 MSK 2022 

The commit is pushed to "branch-rh9-5.14.0-70.13.1.vz9.16.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-70.13.1.el9
------>
commit 59f12e23b917142dca8fb014cc76433d195fd719
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Thu May 26 18:11:13 2022 +0300

    cgroup-v1: Allow setting release_agent from root Container user_ns
    
    ms commit 24f600856418 ("cgroup-v1: Require capabilities to set
    release_agent") restricts release_agent configuration to init user_ns
    only.
    
    Release agent is virtualialized per-Container, so
    allow to configure it from top CT userns as well.
    
    We need both checks here because CRIU during restore stage
    configures release agent while being in init_user_ns and
    in non-root ve cgroup.
    
    https://jira.sw.ru/browse/PSBM-140174
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    Feature: cgroup: per-CT cgroup release_agent
---
 kernel/cgroup/cgroup-v1.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index f321e6691c46..002530f808f1 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -554,10 +554,20 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of,
 	/*
 	 * Release agent gets called with all capabilities,
 	 * require capabilities to set release agent.
+	 *
+	 * Release agent is virtualialized per-Container, so
+	 * allow to configure it from top CT userns as well.
+	 *
+	 * We need both checks here because CRIU during restore stage
+	 * configures release agent while being in init_user_ns and
+	 * in non-root ve cgroup.
 	 */
-	if ((of->file->f_cred->user_ns != &init_user_ns) ||
-	    !capable(CAP_SYS_ADMIN))
+	if (((of->file->f_cred->user_ns != &init_user_ns) ||
+             !capable(CAP_SYS_ADMIN)) &&
+	    ((of->file->f_cred->user_ns != ve_init_user_ns()) ||
+	     !ve_capable(CAP_SYS_ADMIN))) {
 		return -EPERM;
+	}
 
 	cgrp = cgroup_kn_lock_live(of->kn, false);
 	if (!cgrp)
@@ -1089,7 +1099,10 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
 		 * Release agent gets called with all capabilities,
 		 * require capabilities to set release agent.
 		 */
-		if ((fc->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))
+		if (((fc->user_ns != &init_user_ns) ||
+		     !capable(CAP_SYS_ADMIN)) &&
+		    ((fc->user_ns != ve_init_user_ns()) ||
+		     !ve_capable(CAP_SYS_ADMIN)))
 			return invalfc(fc, "Setting release_agent not allowed");
 		ctx->release_agent = param->string;
 		param->string = NULL;

More information about the Devel mailing list