[Devel] [PATCH VZ10 7/9] ve: Always allow to attach to ve cgroup

Fri Dec 5 07:50:07 MSK 2025

We've re-implemented the restrictions to join ve cgroup to ve namespace
path, in previous patches, so now we remove the restrictions from cgroup
join path. Now anyone can join ve cgroup at any moment without any
repercussions.

We need this to be able to make ve cgroup working with intermediate
cgroups in cgroup-v2 hierarchy.

https://virtuozzo.atlassian.net/browse/VSTOR-119941
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

Feature: ve: ve generic structures
---
 kernel/ve/ve.c | 71 --------------------------------------------------
 1 file changed, 71 deletions(-)

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 61448af310c7..718d7811b629 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1101,76 +1101,6 @@ static void ve_destroy(struct cgroup_subsys_state *css)
 	kmem_cache_free(ve_cachep, ve);
 }
 
-static bool ve_task_can_attach(struct cgroup_taskset *tset)
-{
-	struct cgroup_subsys_state *css;
-	struct task_struct *task;
-
-	task = cgroup_taskset_first(tset, &css);
-	if (task != current)
-		pr_err_ratelimited("ve_cgroup: Add task_work-based interface for attaching!!!\n");
-
-	if (cgroup_taskset_next(tset, &css) != NULL) {
-		pr_err_ratelimited("ve_cgroup: attach of a thread group is not supported\n");
-		return false;
-	}
-	if (!thread_group_leader(task)) {
-		pr_err_ratelimited("ve_cgroup: only thread group leader is allowed to attach\n");
-		return false;
-	}
-	if (!thread_group_empty(task)) {
-		pr_err_ratelimited("ve_cgroup: only single-threaded process is allowed to attach\n");
-		return false;
-	}
-	return true;
-}
-
-static int ve_is_attachable(struct cgroup_taskset *tset)
-{
-	struct cgroup_subsys_state *css;
-	struct task_struct *task;
-	struct ve_struct *ve;
-
-	task = cgroup_taskset_first(tset, &css);
-	ve = css_to_ve(css);
-
-	if (VE_IS_RUNNING(ve))
-		return 0;
-
-	if (!ve->veid) {
-		pr_err_ratelimited("ve_cgroup: container's veid is not set\n");
-		return -EINVAL;
-	}
-
-	if (task->flags & PF_KTHREAD) {
-		/* Paranoia check: allow to attach kthread only, if cgroup is
-		 * not empty.
-		 * This check is required for kthreadd, which is created on CT
-		 * start.
-		 */
-		if (cgroup_is_populated(css->cgroup))
-			return 0;
-		pr_err_ratelimited("ve_cgroup: can't attach kthread - empty group\n");
-	} else {
-		/* In case of generic task only one is allowed to enter to
-		 * non-running container: init.
-		 */
-		if (!cgroup_is_populated(css->cgroup))
-			return 0;
-		pr_err_ratelimited("ve_cgroup: can't attach more than 1 task to "
-				"non-running container\n");
-	}
-	return -EINVAL;
-}
-
-static int ve_can_attach(struct cgroup_taskset *tset)
-{
-	if (!ve_task_can_attach(tset))
-		return -EINVAL;
-
-	return ve_is_attachable(tset);
-}
-
 static int ve_state_show(struct seq_file *sf, void *v)
 {
 	struct cgroup_subsys_state *css = seq_css(sf);
@@ -1876,7 +1806,6 @@ struct cgroup_subsys ve_cgrp_subsys = {
 	.css_online	= ve_online,
 	.css_offline	= ve_offline,
 	.css_free	= ve_destroy,
-	.can_attach	= ve_can_attach,
 	.legacy_cftypes	= ve_cftypes,
 	.dfl_cftypes	= ve_cftypes,
 };
-- 
2.52.0

