The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after ark-5.14 ------> commit d6c66265a17a599866e8046ca253aa0e9e67c1d2 Author: Cyrill Gorcunov <gorcu...@virtuozzo.com> Date: Wed Sep 22 14:50:56 2021 +0300
ve/security: device_cgroup -- Allow manage devices in @pseudosuper state When restoring containers with several disks it's more convenient to mount device first and the setup permissions needed. So for this sake we allow to escape device permissions testing inside VE only if @pseudosuper state enabled. https://jira.sw.ru/browse/PSBM-48421 CC: Vladimir Davydov <vdavy...@virtuozzo.com> CC: Konstantin Khorenko <khore...@virtuozzo.com> CC: Andrey Vagin <ava...@openvz.org> Signed-off-by: Cyrill Gorcunov <gorcu...@virtuozzo.com> (cherry-picked from vz8 commit a3621548b561554887087b281d52c98e039ab593) Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> --- security/device_cgroup.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 04375df52fc9..3591e7144df4 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -14,6 +14,7 @@ #include <linux/slab.h> #include <linux/rcupdate.h> #include <linux/mutex.h> +#include <linux/ve.h> #ifdef CONFIG_CGROUP_DEVICE @@ -822,8 +823,24 @@ static int devcgroup_legacy_check_permission(short type, u32 major, u32 minor, minor, access); rcu_read_unlock(); +#ifdef CONFIG_VE + /* + * When restoring container allow everything in + * pseudosuper state. We need this for early + * mounting of second ploop device. Still, don't + * change behaviour on the ve0. + */ + if (!rc) { + struct ve_struct *ve = get_exec_env(); + + if (!ve_is_super(ve) && ve->is_pseudosuper) + return 0; + return -EPERM; + } +#else if (!rc) return -EPERM; +#endif return 0; } _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel