[Devel] [PATCH RHEL9 COMMIT] ve/capability: introduce capable() wrapper which honors CT features

Wed, 20 Oct 2021 05:41:52 -0700 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at 
https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.12
------>
commit 38c55dad0939178b40b86d7c0f7a382b54d6d8b9
Author: Konstantin Khorenko <khore...@virtuozzo.com>
Date:   Wed Oct 20 11:40:47 2021 +0300

    ve/capability: introduce capable() wrapper which honors CT features
    
    Containers might have special features which affect capabilities,
    so here is a wrapper for code simplicity.
    
    https://jira.sw.ru/browse/PSBM-94635
    
    Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com>
    
    https://jira.sw.ru/browse/PSBM-127846
    (cherry-picked from vz7 commit b64e08cf6ea0 ("ve/capability: introduce
    capable() wrapper which honors CT features"))
    Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
    
    (cherry picked from vz8 commit 0c6787703b466480564e5b841c1a28c35f376218)
    Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
---
 include/linux/capability.h |  1 +
 kernel/capability.c        | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 7761f5c00f56..3986e572ef56 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -254,6 +254,7 @@ bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
 bool capable_wrt_inode_uidgid(struct user_namespace *mnt_userns,
                              const struct inode *inode, int cap);
 extern bool ve_capable(int cap);
+extern bool feature_capable(int feature, int cap);
 extern bool file_ns_capable(const struct file *file, struct user_namespace 
*ns, int cap);
 extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace 
*ns);
 static inline bool perfmon_capable(void)
diff --git a/kernel/capability.c b/kernel/capability.c
index 318ffb811db6..ac990f4b900d 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -433,6 +433,13 @@ bool ve_capable_noaudit(int cap)
        return ret;
 }
 
+bool feature_capable(int feature, int cap)
+{
+       if (get_exec_env()->features & feature)
+               return ve_capable(cap);
+       else
+               return capable(cap);
+}
 #else
 bool ve_capable(int cap)
 {
@@ -443,6 +450,11 @@ bool ve_capable_noaudit(int cap)
 {
        return ns_capable_noaudit(&init_user_ns, cap);
 }
+
+bool feature_capable(int feature, int cap)
+{
+       return capable(cap);
+}
 #endif
 EXPORT_SYMBOL_GPL(ve_capable);
 EXPORT_SYMBOL_GPL(ve_capable_noaudit);
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to