[Devel] [PATCH VZ10 6/9] ve_namespace: Block setns untill VE is running
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Fri Dec 5 07:50:06 MSK 2025
We had the same thing with ve cgroup, so let's follow this pattern, only
the task which created VE namespace and it's ancestors are allowed
untill ve is not running.
Note: We might reconsider this as we might replace ve START with
clonning ve_namespace, and then at this stage it would always be
running already.
https://virtuozzo.atlassian.net/browse/VSTOR-119941
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Feature: ve: ve generic structures
---
kernel/ve/ve_namespace.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/ve/ve_namespace.c b/kernel/ve/ve_namespace.c
index c8f89f57ab03..44cb7f0c66b0 100644
--- a/kernel/ve/ve_namespace.c
+++ b/kernel/ve/ve_namespace.c
@@ -196,6 +196,9 @@ static int ve_ns_install(struct nsset *nsset, struct ns_common *new)
!ns_capable(nsset->cred->user_ns, CAP_SYS_ADMIN))
return -EPERM;
+ if (!VE_IS_RUNNING(ve_ns->ve))
+ return -EINVAL;
+
/*
* Don't need to put_ve_ns(nsset->ve_ns) here,
* as at this point it is always zero.
--
2.52.0
More information about the Devel
mailing list