From: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> We want to allow a few operations in VE. Currently we use nsown_capable, but it's wrong, because in this case we allow these operations in any user namespace.
https://jira.sw.ru/browse/PSBM-39077 Signed-off-by: Andrew Vagin <ava...@virtuozzo.com> Signed-off-by: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> (cherry picked from vz8 commit 1fc32ea21100b02b6d046bb60aa938ce04b41f0d) Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com> --- block/ioprio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/block/ioprio.c b/block/ioprio.c index bee628f..06b1b03 100644 --- a/block/ioprio.c +++ b/block/ioprio.c @@ -42,7 +42,7 @@ int set_task_ioprio(struct task_struct *task, int ioprio) rcu_read_lock(); tcred = __task_cred(task); if (!uid_eq(tcred->uid, cred->euid) && - !uid_eq(tcred->uid, cred->uid) && !capable(CAP_SYS_NICE)) { + !uid_eq(tcred->uid, cred->uid) && !ve_capable(CAP_SYS_NICE)) { rcu_read_unlock(); return -EPERM; } @@ -69,7 +69,7 @@ int ioprio_check_cap(int ioprio) switch (class) { case IOPRIO_CLASS_RT: - if (!capable(CAP_SYS_NICE) && !capable(CAP_SYS_ADMIN)) + if (!ve_capable(CAP_SYS_NICE) && !ve_capable(CAP_SYS_ADMIN)) return -EPERM; fallthrough; /* rt has prio field too */ -- 1.8.3.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel