This toggle was introduced to solve this bug (rhel5-based kernels):
https://bugs.openvz.org/browse/OVZ-6409
The root of the bug briefly: customer could add immutable attribute to a file in
a container, thus preventing container removal, becuase this attribute was
bypassed (via simfs) to the actual file system.
The toggle introduced 3-fold policy:
1) "Allow": set of extended attrributes is granted (default in RHEL7 !!!)
2) "Ignore": set of extended attributes is skipped (do nothing and return 0).
3) "Forbid": set of extended attributes is not allowed.
Maybe this approach was applicable to rhel5 kernel, but it's absolutely
useless and harmful in rhel7 because:
1) Current ve xattr policy is "Allow", thus it doesn't prevent to set
immutable attribute.
2) Immutable attribute is set via ioctl, and doesn't pass vfs_setxattr callback.
3) Set of immutable attribute is protected by CAP_LINUX_IMMUTABLE, which is
dropped in containers.
Signed-off-by: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com>
---
fs/xattr.c | 9 ---------
include/uapi/linux/xattr.h | 7 -------
kernel/ve/veowner.c | 8 --------
3 files changed, 24 deletions(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index 2319cf8..a5be48c 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -126,15 +126,6 @@ vfs_setxattr(struct dentry *dentry, const char *name,
const void *value,
struct inode *inode = dentry->d_inode;
int error;
-#if defined(CONFIG_VE) && defined(CONFIG_SYSCTL)
- if (!get_exec_env()->is_pseudosuper) {
- if (ve_xattr_policy == VE_XATTR_POLICY_IGNORE)
- return 0;
- else if (ve_xattr_policy == VE_XATTR_POLICY_REJECT)
- return -EPERM;
- }
-#endif
-
error = xattr_permission(inode, name, MAY_WRITE);
if (error)
return error;
diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
index bb0c657..40bbc04 100644
--- a/include/uapi/linux/xattr.h
+++ b/include/uapi/linux/xattr.h
@@ -10,13 +10,6 @@
#ifndef _UAPI_LINUX_XATTR_H
#define _UAPI_LINUX_XATTR_H
-#ifdef CONFIG_VE
-extern int ve_xattr_policy;
-#define VE_XATTR_POLICY_ACCEPT 0
-#define VE_XATTR_POLICY_IGNORE 1
-#define VE_XATTR_POLICY_REJECT 2
-#endif
-
#define XATTR_CREATE 0x1 /* set value, fail if attr already exists */
#define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */
diff --git a/kernel/ve/veowner.c b/kernel/ve/veowner.c
index 1a7e735..005cdaf 100644
--- a/kernel/ve/veowner.c
+++ b/kernel/ve/veowner.c
@@ -52,7 +52,6 @@ static void prepare_proc(void)
* OpenVZ sysctl
* ------------------------------------------------------------------------
*/
-int ve_xattr_policy = VE_XATTR_POLICY_ACCEPT;
static int ve_area_access_check;
/*
@@ -72,13 +71,6 @@ static struct ctl_table vz_fs_table[] = {
.proc_handler = proc_dointvec,
},
{
- .procname = "ve-xattr-policy",
- .data = &ve_xattr_policy,
- .maxlen = sizeof(int),
- .mode = 0644,
- .proc_handler = &proc_dointvec,
- },
- {
.procname = "fsync-enable",
.data = &ve0.fsync_enable,
.maxlen = sizeof(int),
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
