[Devel] [PATCH RHEL10 COMMIT] ve_namespace: Block setns untill VE is running
Konstantin Khorenko
khorenko at virtuozzo.com
Sat Dec 13 23:31:07 MSK 2025
The commit is pushed to "branch-rh10-6.12.0-55.13.1.3.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-55.13.1.2.24.vz10
------>
commit 0f2189019c15da459d618c109514b924a953898f
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Wed Dec 10 18:34:27 2025 +0800
ve_namespace: Block setns untill VE is running
We had the same thing with ve cgroup, so let's follow this pattern, only
the task which created VE namespace and it's ancestors are allowed
untill ve is not running.
Note: We might reconsider this as we might replace ve START with
clonning ve_namespace, and then at this stage it would always be
running already.
https://virtuozzo.atlassian.net/browse/VSTOR-119941
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Feature: ve: ve generic structures
---
kernel/ve/ve_namespace.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/ve/ve_namespace.c b/kernel/ve/ve_namespace.c
index c8f89f57ab039..44cb7f0c66b01 100644
--- a/kernel/ve/ve_namespace.c
+++ b/kernel/ve/ve_namespace.c
@@ -196,6 +196,9 @@ static int ve_ns_install(struct nsset *nsset, struct ns_common *new)
!ns_capable(nsset->cred->user_ns, CAP_SYS_ADMIN))
return -EPERM;
+ if (!VE_IS_RUNNING(ve_ns->ve))
+ return -EINVAL;
+
/*
* Don't need to put_ve_ns(nsset->ve_ns) here,
* as at this point it is always zero.
More information about the Devel
mailing list