[Devel] [PATCH RHEL9 COMMIT] ve/time: introduce CT feature to allow setting date/time

Wed, 20 Oct 2021 05:41:53 -0700 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at 
https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.12
------>
commit 1b1936badb88812100cbbdce4d42bd732f1543fd
Author: Konstantin Khorenko <khore...@virtuozzo.com>
Date:   Wed Oct 20 11:40:47 2021 +0300

    ve/time: introduce CT feature to allow setting date/time
    
    Sometimes people would like to run ntp server inside trusted Containers,
    so let's introduce an appropriate CT feature for that.
    
    Note: time is NOT vistualized, so Container changes date/time of the
    whole Node.
    
    https://jira.sw.ru/browse/PSBM-94635
    Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com>
    
    https://jira.sw.ru/browse/PSBM-127846
    (cherry-picked from vz7 commit c6314aabd00d ("ve/time: introduce CT
    feature to allow setting date/time"))
    Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
    
    (cherry picked from vz8 commit c915b90b9db1eac28557fb0eadc4af2b9cb49c36)
    Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
---
 include/uapi/linux/vzcalluser.h | 1 +
 security/commoncap.c            | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/vzcalluser.h b/include/uapi/linux/vzcalluser.h
index 282b2b861722..b04594d31666 100644
--- a/include/uapi/linux/vzcalluser.h
+++ b/include/uapi/linux/vzcalluser.h
@@ -47,6 +47,7 @@ struct vzctl_ve_configure {
 #define VE_FEATURE_IPGRE       (1ULL << 6)
 #define VE_FEATURE_BRIDGE      (1ULL << 7)
 #define VE_FEATURE_NFSD                (1ULL << 8)
+#define VE_FEATURE_TIME                (1ULL << 9)
 
 #define VE_FEATURES_OLD                (VE_FEATURE_SYSFS)
 #define VE_FEATURES_DEF                (VE_FEATURE_SYSFS | 
VE_FEATURE_DEF_PERMS)
diff --git a/security/commoncap.c b/security/commoncap.c
index ae3799afd850..661ca9113864 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -25,6 +25,8 @@
 #include <linux/binfmts.h>
 #include <linux/personality.h>
 
+#include <uapi/linux/vzcalluser.h>
+
 /*
  * If a non-root user executes a setuid-root binary in
  * !secure(SECURE_NOROOT) mode, then we raise capabilities.
@@ -110,7 +112,7 @@ int cap_capable(const struct cred *cred, struct 
user_namespace *targ_ns,
  */
 int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
 {
-       if (!capable(CAP_SYS_TIME))
+       if (!feature_capable(VE_FEATURE_TIME, CAP_SYS_TIME))
                return -EPERM;
        return 0;
 }
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to