From: Konstantin Khorenko <khore...@virtuozzo.com> "nft" util (in CentOS 8 environment) does use setsockopt(SO_SNDBUFFORCE) unconditionally, so we have to allow it from inside a Container.
At the same time we don't want to allow a Container to set too much memory for a socket, so just threat SO_SNDBUFFORCE like SO_SNDBUF if called inside a Container. Simple rule to test: # nft add rule filter INPUT ct state related,established accept https://jira.sw.ru/browse/PSBM-98794 Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> Acked-by: Andrey Ryabinin <aryabi...@virtuozzo.com> (cherry picked from vz7 commit 8f3567b1f4af7d33c15856ae402ef2025909fd14) Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> (cherry-picked from vz8 commit cb15883dde11 ("ve/net/core: allow to call setsockopt(SO_SNDBUFFORCE) from Containers")) Signed-off-by: Nikita Yushchenko <nikita.yushche...@virtuozzo.com> --- net/core/sock.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/core/sock.c b/net/core/sock.c index 35db91ba6ff8..8ad8f92ba7d8 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1006,6 +1006,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, sock_valbool_flag(sk, SOCK_BROADCAST, valbool); break; case SO_SNDBUF: +unpriv_sndbuf: /* Don't error on this BSD doesn't and if you think * about it this is right. Otherwise apps have to * play 'guess the biggest size' games. RCVBUF/SNDBUF @@ -1025,11 +1026,15 @@ int sock_setsockopt(struct socket *sock, int level, int optname, break; case SO_SNDBUFFORCE: - if (!capable(CAP_NET_ADMIN)) { + if (!ve_capable(CAP_NET_ADMIN)) { ret = -EPERM; break; } + /* nft utility uses this sockopt in CentOS 8 env */ + if (!ve_is_super(get_exec_env())) + goto unpriv_sndbuf; + /* No negative values (to prevent underflow, as val will be * multiplied by 2). */ -- 2.30.2 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
