From: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> This will be used to check if we need to hide per-net sysctls.
Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> +++ ve/sysctl/nf_conntrack: allow expose of priviledged sysctl inside containers Series: This series brings to vz7 all the nf_conntrack sysctl's, which are available in vz6. https://jira.sw.ru/browse/PSBM-40044 Signed-off-by: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> Reviewed-by: Kirill Tkhai <ktk...@virtuozzo.com> +++ ve/nf_conntrack: export nf_conntrack_hide_sysctl() helper From: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> Series: This series brings to vz7 all the nf_conntrack sysctl's, which are available in vz6. https://jira.sw.ru/browse/PSBM-40044 Will be used for other tables Signed-off-by: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> Reviewed-by: Kirill Tkhai <ktk...@virtuozzo.com> +++ ve/sysctl/net: move and rename *_hide_sysctl helper to ve.c Make it general for all net sysctls, will be use in next patch. https://jira.sw.ru/browse/PSBM-54530 Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> Reviewed-by: Cyrill Gorcunov <gorcu...@openvz.org> (cherry picked from commit c174b55d665b0d3edcf6445fe6279e7b081beb31) Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> +++ ve/sysctl/netfilter: Include ve.h header into net/netfilter/nf_conntrack_standalone.c It's required for ve_net_hide_sysctl() declaration. Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> Change in vz9: We don't need ve_net_hide_sysctl in nf_conntrack_standalone_init_sysctl as there is no more userns check in it in mainstream, so what is left from this patch is only ve_net_hide_sysctl declaration. See 2671fa4dc010 ("netfilter: conntrack: Make global sysctls readonly in non-init netns") Also rename the patch accordingly. (cherry picked from vz8 commit 379d9b479b8976a3cf845286089d9ef89ed2ae89) Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> --- include/linux/ve.h | 2 ++ kernel/ve/ve.c | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/include/linux/ve.h b/include/linux/ve.h index 18d52c6c63cf..bed0c186ac80 100644 --- a/include/linux/ve.h +++ b/include/linux/ve.h @@ -95,6 +95,8 @@ extern struct cgroup *cgroup_get_ve_root1(struct cgroup *cgrp); extern int vz_security_family_check(struct net *net, int family, int type); extern int vz_security_protocol_check(struct net *net, int protocol); +int ve_net_hide_sysctl(struct net *net); + #else /* CONFIG_VE */ #define get_ve(ve) (NULL) #define put_ve(ve) do { } while (0) diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c index 75299258d677..ba5c6e240633 100644 --- a/kernel/ve/ve.c +++ b/kernel/ve/ve.c @@ -214,6 +214,22 @@ struct user_namespace *ve_init_user_ns(void) } EXPORT_SYMBOL(ve_init_user_ns); +int ve_net_hide_sysctl(struct net *net) +{ + /* + * This can happen only on VE creation, when process created VE cgroup, + * and clones a child with new network namespace. + */ + if (net->owner_ve->init_cred == NULL) + return 0; + + /* + * Expose sysctl only for container's init user namespace + */ + return net->user_ns != net->owner_ve->init_cred->user_ns; +} +EXPORT_SYMBOL(ve_net_hide_sysctl); + int nr_threads_ve(struct ve_struct *ve) { return cgroup_task_count(ve->css.cgroup); -- 2.31.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
