[Devel] [PATCH rh9 v3] cgroup-v1: Allow setting release_agent from root Container user_ns

Fri, 27 May 2022 08:23:19 -0700 

ms commit 24f600856418 ("cgroup-v1: Require capabilities to set
release_agent") restricts release_agent configuration to init user_ns
only.

Release agent is virtualialized per-Container, so
allow to configure it from top CT userns as well.

We need both checks here because CRIU during restore stage
configures release agent while being in init_user_ns and
in non-root ve cgroup.

https://jira.sw.ru/browse/PSBM-140174

Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com>
Feature: cgroup: per-CT cgroup release_agent
---
v2: added the check for init_user_ns - for the CRIU's sake
v3: copy-paste typo fixed

 kernel/cgroup/cgroup-v1.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index f321e6691c46..002530f808f1 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -554,10 +554,20 @@ static ssize_t cgroup_release_agent_write(struct 
kernfs_open_file *of,
        /*
         * Release agent gets called with all capabilities,
         * require capabilities to set release agent.
+        *
+        * Release agent is virtualialized per-Container, so
+        * allow to configure it from top CT userns as well.
+        *
+        * We need both checks here because CRIU during restore stage
+        * configures release agent while being in init_user_ns and
+        * in non-root ve cgroup.
         */
-       if ((of->file->f_cred->user_ns != &init_user_ns) ||
-           !capable(CAP_SYS_ADMIN))
+       if (((of->file->f_cred->user_ns != &init_user_ns) ||
+             !capable(CAP_SYS_ADMIN)) &&
+           ((of->file->f_cred->user_ns != ve_init_user_ns()) ||
+            !ve_capable(CAP_SYS_ADMIN))) {
                return -EPERM;
+       }
 
        cgrp = cgroup_kn_lock_live(of->kn, false);
        if (!cgrp)
@@ -1089,7 +1099,10 @@ int cgroup1_parse_param(struct fs_context *fc, struct 
fs_parameter *param)
                 * Release agent gets called with all capabilities,
                 * require capabilities to set release agent.
                 */
-               if ((fc->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))
+               if (((fc->user_ns != &init_user_ns) ||
+                    !capable(CAP_SYS_ADMIN)) &&
+                   ((fc->user_ns != ve_init_user_ns()) ||
+                    !ve_capable(CAP_SYS_ADMIN)))
                        return invalfc(fc, "Setting release_agent not allowed");
                ctx->release_agent = param->string;
                param->string = NULL;
-- 
2.31.1

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to