From: Konstantin Khorenko <[email protected]> Sometimes people would like to run ntp server inside trusted Containers, so let's introduce an appropriate CT feature for that.
Note: time is NOT vistualized, so Container changes date/time of the whole Node. https://jira.sw.ru/browse/PSBM-94635 Signed-off-by: Konstantin Khorenko <[email protected]> https://jira.sw.ru/browse/PSBM-127846 (cherry-picked from vz7 commit c6314aabd00d ("ve/time: introduce CT feature to allow setting date/time")) Signed-off-by: Pavel Tikhomirov <[email protected]> --- include/uapi/linux/vzcalluser.h | 1 + security/commoncap.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/vzcalluser.h b/include/uapi/linux/vzcalluser.h index a7f7268bdd80..19270bc24595 100644 --- a/include/uapi/linux/vzcalluser.h +++ b/include/uapi/linux/vzcalluser.h @@ -45,6 +45,7 @@ struct vzctl_ve_configure { #define VE_FEATURE_IPGRE (1ULL << 6) #define VE_FEATURE_BRIDGE (1ULL << 7) #define VE_FEATURE_NFSD (1ULL << 8) +#define VE_FEATURE_TIME (1ULL << 9) #define VE_FEATURES_OLD (VE_FEATURE_SYSFS) #define VE_FEATURES_DEF (VE_FEATURE_SYSFS | VE_FEATURE_DEF_PERMS) diff --git a/security/commoncap.c b/security/commoncap.c index 6c3eeb696a43..3ef9e72a8f4f 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -30,6 +30,8 @@ #include <linux/binfmts.h> #include <linux/personality.h> +#include <uapi/linux/vzcalluser.h> + /* * If a non-root user executes a setuid-root binary in * !secure(SECURE_NOROOT) mode, then we raise capabilities. @@ -115,7 +117,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, */ int cap_settime(const struct timespec64 *ts, const struct timezone *tz) { - if (!capable(CAP_SYS_TIME)) + if (!feature_capable(VE_FEATURE_TIME, CAP_SYS_TIME)) return -EPERM; return 0; } -- 2.31.1 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
