The commit is pushed to "branch-rh10-6.12.0-55.13.1.3.x.vz10-ovz" and will
appear at [email protected]:openvz/vzkernel.git
after rh10-6.12.0-55.13.1.2.24.vz10
------>
commit 0f2189019c15da459d618c109514b924a953898f
Author: Pavel Tikhomirov <[email protected]>
Date: Wed Dec 10 18:34:27 2025 +0800
ve_namespace: Block setns untill VE is running
We had the same thing with ve cgroup, so let's follow this pattern, only
the task which created VE namespace and it's ancestors are allowed
untill ve is not running.
Note: We might reconsider this as we might replace ve START with
clonning ve_namespace, and then at this stage it would always be
running already.
https://virtuozzo.atlassian.net/browse/VSTOR-119941
Signed-off-by: Pavel Tikhomirov <[email protected]>
Feature: ve: ve generic structures
---
kernel/ve/ve_namespace.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/ve/ve_namespace.c b/kernel/ve/ve_namespace.c
index c8f89f57ab039..44cb7f0c66b01 100644
--- a/kernel/ve/ve_namespace.c
+++ b/kernel/ve/ve_namespace.c
@@ -196,6 +196,9 @@ static int ve_ns_install(struct nsset *nsset, struct
ns_common *new)
!ns_capable(nsset->cred->user_ns, CAP_SYS_ADMIN))
return -EPERM;
+ if (!VE_IS_RUNNING(ve_ns->ve))
+ return -EINVAL;
+
/*
* Don't need to put_ve_ns(nsset->ve_ns) here,
* as at this point it is always zero.
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel
