core: allow to call setsockopt(SO_RCVBUFFORCE) from Containers

Nikita Yushchenko Wed, 06 Oct 2021 05:59:18 -0700

From: Konstantin Khorenko <khore...@virtuozzo.com>

"nft" util (in CentOS 8 environment) does use setsockopt(SO_RCVBUFFORCE)
unconditionally, so we have to allow it from inside a Container.


At the same time we don't want to allow a Container to set too much
memory for a socket, so just threat SO_RCVBUFFORCE like SO_RCVBUF if
called inside a Container.

Simple rule to test:

  # NFT=/usr/sbin/nft ./run-tests.sh -v -g testcases/nft-f/0011manydefines_0

which fails inside a Container because of not enough rcb buffer because
of failed
  setsockopt(3, SOL_SOCKET, SO_RCVBUFFORCE, [10561584], 4) = -1
  EPERM (Operation not permitted)

https://jira.sw.ru/browse/PSBM-121791
Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com>

(cherry-picked from vz8 commit 837f66800500 ("ve/net/core: allow to call
setsockopt(SO_RCVBUFFORCE) from Containers"))

Signed-off-by: Nikita Yushchenko <nikita.yushche...@virtuozzo.com>
---
 net/core/sock.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/core/sock.c b/net/core/sock.c
index 8ad8f92ba7d8..ae93a46b2772 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1043,6 +1043,7 @@ int sock_setsockopt(struct socket *sock, int level, int 
optname,
                goto set_sndbuf;
 
        case SO_RCVBUF:
+unpriv_rcvbuf:
                /* Don't error on this BSD doesn't and if you think
                 * about it this is right. Otherwise apps have to
                 * play 'guess the biggest size' games. RCVBUF/SNDBUF
@@ -1052,11 +1053,15 @@ int sock_setsockopt(struct socket *sock, int level, int 
optname,
                break;
 
        case SO_RCVBUFFORCE:
-               if (!capable(CAP_NET_ADMIN)) {
+               if (!ve_capable(CAP_NET_ADMIN)) {
                        ret = -EPERM;
                        break;
                }
 
+               /* nft utility uses this sockopt in CentOS 8 env */
+               if (!ve_is_super(get_exec_env()))
+                       goto unpriv_rcvbuf;
+
                /* No negative values (to prevent underflow, as val will be
                 * multiplied by 2).
                 */
-- 
2.30.2

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH vz9 23/27] ve/net/core: allow to call setsockopt(SO_RCVBUFFORCE) from Containers

Reply via email to