From: Konstantin Khorenko <[email protected]> Containers might have special features which affect capabilities, so here is a wrapper for code simplicity.
https://jira.sw.ru/browse/PSBM-94635 Signed-off-by: Konstantin Khorenko <[email protected]> https://jira.sw.ru/browse/PSBM-127846 (cherry-picked from vz7 commit b64e08cf6ea0 ("ve/capability: introduce capable() wrapper which honors CT features")) Signed-off-by: Pavel Tikhomirov <[email protected]> --- include/linux/capability.h | 1 + kernel/capability.c | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/include/linux/capability.h b/include/linux/capability.h index 20f4cc2f81d7..2cd6cc8ead53 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -243,6 +243,7 @@ static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap) } #endif /* CONFIG_MULTIUSER */ extern bool ve_capable(int cap); +extern bool feature_capable(int feature, int cap); extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode); extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); diff --git a/kernel/capability.c b/kernel/capability.c index aefb33a090de..5f1c6cb2af07 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -417,11 +417,24 @@ bool ve_capable(int cap) return ret; } + +bool feature_capable(int feature, int cap) +{ + if (get_exec_env()->features & feature) + return ve_capable(cap); + else + return capable(cap); +} #else bool ve_capable(int cap) { return capable(cap); } + +bool feature_capable(int feature, int cap) +{ + return capable(cap); +} #endif EXPORT_SYMBOL_GPL(ve_capable); -- 2.31.1 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
