It's good enough for us. It won't work properly in case of setting rules by joining container network namespace without VE cgroup, but it's acceptable, because proper fix needs a lot of backporting.
https://jira.sw.ru/browse/PSBM-43609 Signed-off-by: Stanislav Kinsburskiy <[email protected]> --- net/netfilter/xt_owner.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c index 942cce1..31dec4a 100644 --- a/net/netfilter/xt_owner.c +++ b/net/netfilter/xt_owner.c @@ -31,14 +31,14 @@ owner_mt_v0(const struct sk_buff *skb, struct xt_action_param *par) return false; if (info->match & XT_OWNER_UID) { - kuid_t uid = make_kuid(&init_user_ns, info->uid); + kuid_t uid = make_kuid(ve_init_user_ns(), info->uid); if ((!uid_eq(filp->f_cred->fsuid, uid)) ^ !!(info->invert & XT_OWNER_UID)) return false; } if (info->match & XT_OWNER_GID) { - kgid_t gid = make_kgid(&init_user_ns, info->gid); + kgid_t gid = make_kgid(ve_init_user_ns(), info->gid); if ((!gid_eq(filp->f_cred->fsgid, gid)) ^ !!(info->invert & XT_OWNER_GID)) return false; @@ -61,14 +61,14 @@ owner_mt6_v0(const struct sk_buff *skb, struct xt_action_param *par) return false; if (info->match & XT_OWNER_UID) { - kuid_t uid = make_kuid(&init_user_ns, info->uid); + kuid_t uid = make_kuid(ve_init_user_ns(), info->uid); if ((!uid_eq(filp->f_cred->fsuid, uid)) ^ !!(info->invert & XT_OWNER_UID)) return false; } if (info->match & XT_OWNER_GID) { - kgid_t gid = make_kgid(&init_user_ns, info->gid); + kgid_t gid = make_kgid(ve_init_user_ns(), info->gid); if ((!gid_eq(filp->f_cred->fsgid, gid)) ^ !!(info->invert & XT_OWNER_GID)) return false; @@ -109,8 +109,8 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par) (XT_OWNER_UID | XT_OWNER_GID)) == 0; if (info->match & XT_OWNER_UID) { - kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min); - kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max); + kuid_t uid_min = make_kuid(ve_init_user_ns(), info->uid_min); + kuid_t uid_max = make_kuid(ve_init_user_ns(), info->uid_max); if ((uid_gte(filp->f_cred->fsuid, uid_min) && uid_lte(filp->f_cred->fsuid, uid_max)) ^ !(info->invert & XT_OWNER_UID)) @@ -118,8 +118,8 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par) } if (info->match & XT_OWNER_GID) { - kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min); - kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max); + kgid_t gid_min = make_kgid(ve_init_user_ns(), info->gid_min); + kgid_t gid_max = make_kgid(ve_init_user_ns(), info->gid_max); if ((gid_gte(filp->f_cred->fsgid, gid_min) && gid_lte(filp->f_cred->fsgid, gid_max)) ^ !(info->invert & XT_OWNER_GID)) _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
