The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at
https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit d6c66265a17a599866e8046ca253aa0e9e67c1d2
Author: Cyrill Gorcunov <gorcu...@virtuozzo.com>
Date: Wed Sep 22 14:50:56 2021 +0300
ve/security: device_cgroup -- Allow manage devices in @pseudosuper state
When restoring containers with several disks it's more convenient
to mount device first and the setup permissions needed. So for this
sake we allow to escape device permissions testing inside VE only
if @pseudosuper state enabled.
https://jira.sw.ru/browse/PSBM-48421
CC: Vladimir Davydov <vdavy...@virtuozzo.com>
CC: Konstantin Khorenko <khore...@virtuozzo.com>
CC: Andrey Vagin <ava...@openvz.org>
Signed-off-by: Cyrill Gorcunov <gorcu...@virtuozzo.com>
(cherry-picked from vz8 commit a3621548b561554887087b281d52c98e039ab593)
Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
---
security/device_cgroup.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 04375df52fc9..3591e7144df4 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -14,6 +14,7 @@
#include <linux/slab.h>
#include <linux/rcupdate.h>
#include <linux/mutex.h>
+#include <linux/ve.h>
#ifdef CONFIG_CGROUP_DEVICE
@@ -822,8 +823,24 @@ static int devcgroup_legacy_check_permission(short type,
u32 major, u32 minor,
minor, access);
rcu_read_unlock();
+#ifdef CONFIG_VE
+ /*
+ * When restoring container allow everything in
+ * pseudosuper state. We need this for early
+ * mounting of second ploop device. Still, don't
+ * change behaviour on the ve0.
+ */
+ if (!rc) {
+ struct ve_struct *ve = get_exec_env();
+
+ if (!ve_is_super(ve) && ve->is_pseudosuper)
+ return 0;
+ return -EPERM;
+ }
+#else
if (!rc)
return -EPERM;
+#endif
return 0;
}
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
