The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at
https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.24
------>
commit e3d038561b5b594109630410803c3b537da5b4a7
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date: Mon Jul 6 17:27:54 2015 +0400
ve/proc/ipc: allow mount proc and mqueue inside container
Patchset description:
capability fixes for docker
allow what docker wants, need it to run integration-cli tests
when we will prohibit CAP_SYS_ADMIN and CAP_NET_ADMIN in CT
* after switching to user namespaces we won't need those patches
which is planned in the scope of
https://jira.sw.ru/browse/PSBM-33304
to test without CAP_SYS_ADMIN and CAP_NET_ADMIN:
vzctl set 206 --capability net_admin:off \
--capability sys_admin:off --save
Pavel Tikhomirov (3):
vfs: allow mount/umount, pivot_root with CAP_VE_SYS_ADMIN
rtnl: allow move network devices into network namespace in CT
vfs: allow mount proc and mqueue inside container
################################################################
This patch description:
need this for docker, as it tries to mount proc and mqueue
and as we will not allow CAP_SYS_ADMIN in container.
* after switching to user namespaces we won't need this patch
https://jira.sw.ru/browse/PSBM-34523
Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
It also allows to start container if CAP_SYS_ADMIN is unset with vzctl
else we get error:
vzctl set 206 --capability sys_admin:off --save
vzctl start 206
Starting Container ...
Unmount image: /vz/private/206/root.hdd
Unmounting file system at /vz/root/206
Unmounting device /dev/ploop28512
Container is unmounted
Mount image: /vz/private/206/root.hdd
Opening delta /vz/private/206/root.hdd/root.hds
Adding delta dev=/dev/ploop28512 img=/vz/private/206/root.hdd/root.hds
(rw)
Mounting /dev/ploop28512p1 at /vz/root/206 fstype=ext4
data='balloon_ino=12,pfcache_csum,,'
Container is mounted
Os release: 3.10.0-123.1.2.vz7.5.23
Failed to mount /proc: Operation not permitted
Unmount image: /vz/private/206/root.hdd
Unmounting file system at /vz/root/206
Unmounting device /dev/ploop28512
Container is unmounted
Failed to start the Container
---
fs/proc/root.c | 3 ++-
ipc/mqueue.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/proc/root.c b/fs/proc/root.c
index 88be7c2..0b7dbdb 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -121,7 +121,8 @@ static struct dentry *proc_mount(struct file_system_type
*fs_type,
options = data;
if (!current_user_ns()->may_mount_proc ||
- !ns_capable(ns->user_ns, CAP_SYS_ADMIN))
+ (!ns_capable(ns->user_ns, CAP_SYS_ADMIN) &&
+ !ns_capable(ns->user_ns, CAP_VE_SYS_ADMIN)))
return ERR_PTR(-EPERM);
}
diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 657814c..c5f1d3e 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -335,7 +335,8 @@ static struct dentry *mqueue_mount(struct file_system_type
*fs_type,
/* Don't allow mounting unless the caller has CAP_SYS_ADMIN
* over the ipc namespace.
*/
- if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
+ if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN) &&
+ !ns_capable(ns->user_ns, CAP_VE_SYS_ADMIN))
return ERR_PTR(-EPERM);
data = ns;
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
