This toggle was introduced to solve this bug (rhel5-based kernels): https://bugs.openvz.org/browse/OVZ-6409
The root of the bug briefly: customer could add immutable attribute to a file in a container, thus preventing container removal, becuase this attribute was bypassed (via simfs) to the actual file system. The toggle introduced 3-fold policy: 1) "Allow": set of extended attrributes is granted (default in RHEL7 !!!) 2) "Ignore": set of extended attributes is skipped (do nothing and return 0). 3) "Forbid": set of extended attributes is not allowed. Maybe this approach was applicable to rhel5 kernel, but it's absolutely useless and harmful in rhel7 because: 1) Current ve xattr policy is "Allow", thus it doesn't prevent to set immutable attribute. 2) Immutable attribute is set via ioctl, and doesn't pass vfs_setxattr callback. 3) Set of immutable attribute is protected by CAP_LINUX_IMMUTABLE, which is dropped in containers. Signed-off-by: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> --- fs/xattr.c | 9 --------- include/uapi/linux/xattr.h | 7 ------- kernel/ve/veowner.c | 8 -------- 3 files changed, 24 deletions(-) diff --git a/fs/xattr.c b/fs/xattr.c index 2319cf8..a5be48c 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -126,15 +126,6 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value, struct inode *inode = dentry->d_inode; int error; -#if defined(CONFIG_VE) && defined(CONFIG_SYSCTL) - if (!get_exec_env()->is_pseudosuper) { - if (ve_xattr_policy == VE_XATTR_POLICY_IGNORE) - return 0; - else if (ve_xattr_policy == VE_XATTR_POLICY_REJECT) - return -EPERM; - } -#endif - error = xattr_permission(inode, name, MAY_WRITE); if (error) return error; diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h index bb0c657..40bbc04 100644 --- a/include/uapi/linux/xattr.h +++ b/include/uapi/linux/xattr.h @@ -10,13 +10,6 @@ #ifndef _UAPI_LINUX_XATTR_H #define _UAPI_LINUX_XATTR_H -#ifdef CONFIG_VE -extern int ve_xattr_policy; -#define VE_XATTR_POLICY_ACCEPT 0 -#define VE_XATTR_POLICY_IGNORE 1 -#define VE_XATTR_POLICY_REJECT 2 -#endif - #define XATTR_CREATE 0x1 /* set value, fail if attr already exists */ #define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */ diff --git a/kernel/ve/veowner.c b/kernel/ve/veowner.c index 1a7e735..005cdaf 100644 --- a/kernel/ve/veowner.c +++ b/kernel/ve/veowner.c @@ -52,7 +52,6 @@ static void prepare_proc(void) * OpenVZ sysctl * ------------------------------------------------------------------------ */ -int ve_xattr_policy = VE_XATTR_POLICY_ACCEPT; static int ve_area_access_check; /* @@ -72,13 +71,6 @@ static struct ctl_table vz_fs_table[] = { .proc_handler = proc_dointvec, }, { - .procname = "ve-xattr-policy", - .data = &ve_xattr_policy, - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = &proc_dointvec, - }, - { .procname = "fsync-enable", .data = &ve0.fsync_enable, .maxlen = sizeof(int), _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel