When restoring containers with several disks it's more convenient to mount device first and the setup permissions needed. So for this sake we allow to escape device permissions testing inside VE only if @pseudosuper state enabled.
https://jira.sw.ru/browse/PSBM-48421 CC: Vladimir Davydov <vdavy...@virtuozzo.com> CC: Konstantin Khorenko <khore...@virtuozzo.com> CC: Andrey Vagin <ava...@openvz.org> Signed-off-by: Cyrill Gorcunov <gorcu...@virtuozzo.com> --- Compile tested only. security/device_cgroup.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) Index: linux-pcs7.git/security/device_cgroup.c =================================================================== --- linux-pcs7.git.orig/security/device_cgroup.c +++ linux-pcs7.git/security/device_cgroup.c @@ -902,8 +902,24 @@ static int __devcgroup_check_permission( minor, access); rcu_read_unlock(); +#ifdef CONFIG_VE + /* + * When restoring container allow everything in + * pseudosuper state. We need this for early + * mounting of second ploop device. Still, don't + * change behaviour on the ve0. + */ + if (!rc) { + struct ve_struct *ve = get_exec_env(); + + if (!ve_is_super(ve) && ve->is_pseudosuper) + return 0; + return -EPERM; + } +#else if (!rc) return -EPERM; +#endif return 0; } _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
