The commit is pushed to "branch-rh7-3.10.0-514.10.2.vz7.29.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-514.10.2.vz7.29.6 ------> commit d87768f8b74e562dff336711ab32ffb4101f2012 Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> Date: Fri Mar 24 16:23:57 2017 +0400
ve/sysctl/net: move and rename *_hide_sysctl helper to ve.c Make it general for all net sysctls, will be use in next patch. https://jira.sw.ru/browse/PSBM-54530 Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> Reviewed-by: Cyrill Gorcunov <gorcu...@openvz.org> --- include/linux/ve.h | 2 ++ include/net/netfilter/nf_conntrack_core.h | 2 -- kernel/ve/ve.c | 16 ++++++++++++++++ net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 24 ++---------------------- 6 files changed, 22 insertions(+), 26 deletions(-) diff --git a/include/linux/ve.h b/include/linux/ve.h index edff7e4..ba56bc4 100644 --- a/include/linux/ve.h +++ b/include/linux/ve.h @@ -216,6 +216,8 @@ void ve_exit_ns(struct pid_namespace *ns); extern bool current_user_ns_initial(void); struct user_namespace *ve_init_user_ns(void); +int ve_net_hide_sysctl(struct net *net); + #ifdef CONFIG_TTY #define MAX_NR_VTTY_CONSOLES (12) extern struct tty_driver *vtty_driver(dev_t dev, int *index); diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index c029b52..879b7ab 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h @@ -39,8 +39,6 @@ void nf_conntrack_cleanup_start(void); void nf_conntrack_init_end(void); void nf_conntrack_cleanup_end(void); -int nf_conntrack_hide_sysctl(struct net *net); - bool nf_ct_get_tuple(const struct sk_buff *skb, unsigned int nhoff, unsigned int dataoff, u_int16_t l3num, u_int8_t protonum, struct nf_conntrack_tuple *tuple, diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c index 67b7882..9efe3ff 100644 --- a/kernel/ve/ve.c +++ b/kernel/ve/ve.c @@ -257,6 +257,22 @@ struct user_namespace *ve_init_user_ns(void) } EXPORT_SYMBOL(ve_init_user_ns); +int ve_net_hide_sysctl(struct net *net) +{ + /* + * This can happen only on VE creation, when process created VE cgroup, + * and clones a child with new network namespace. + */ + if (net->owner_ve->init_cred == NULL) + return 0; + + /* + * Expose sysctl only for container's init user namespace + */ + return net->user_ns != net->owner_ve->init_cred->user_ns; +} +EXPORT_SYMBOL(ve_net_hide_sysctl); + int nr_threads_ve(struct ve_struct *ve) { return cgroup_task_count(ve->css.cgroup); diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c index e35af92..363866f 100644 --- a/net/netfilter/nf_conntrack_acct.c +++ b/net/netfilter/nf_conntrack_acct.c @@ -71,7 +71,7 @@ static int nf_conntrack_acct_init_sysctl(struct net *net) table[0].data = &net->ct.sysctl_acct; /* Don't export sysctls to unprivileged users */ - if (nf_conntrack_hide_sysctl(net)) + if (ve_net_hide_sysctl(net)) table[0].procname = NULL; net->ct.acct_sysctl_header = register_net_sysctl(net, "net/netfilter", diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c index c605daa..a82b7f7 100644 --- a/net/netfilter/nf_conntrack_ecache.c +++ b/net/netfilter/nf_conntrack_ecache.c @@ -199,7 +199,7 @@ static int nf_conntrack_event_init_sysctl(struct net *net) table[1].data = &net->ct.sysctl_events_retry_timeout; /* Don't export sysctls to unprivileged users */ - if (nf_conntrack_hide_sysctl(net)) + if (ve_net_hide_sysctl(net)) table[0].procname = NULL; net->ct.event_sysctl_header = diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 7d95af8..871e6ff 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -505,21 +505,6 @@ static struct ctl_table nf_ct_netfilter_table[] = { static int zero; -int nf_conntrack_hide_sysctl(struct net *net) -{ - /* - * This can happen only on VE creation, when process created VE cgroup, - * and clones a child with new network namespace. - */ - if (net->owner_ve->init_cred == NULL) - return 0; - - /* - * Expose sysctl only for container's init user namespace - */ - return net->user_ns != net->owner_ve->init_cred->user_ns; -} - static int nf_conntrack_netfilter_init_sysctl(struct net *net) { struct ctl_table *table; @@ -532,7 +517,7 @@ static int nf_conntrack_netfilter_init_sysctl(struct net *net) table[0].data = &net->ct.max; /* Don't export sysctls to unprivileged users */ - if (nf_conntrack_hide_sysctl(net)) + if (ve_net_hide_sysctl(net)) table[0].procname = NULL; net->ct.netfilter_header = register_net_sysctl(net, "net", table); @@ -573,7 +558,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net) table[5].data = &net->ct.expect_max; /* Don't export sysctls to unprivileged users */ - if (nf_conntrack_hide_sysctl(net)) + if (ve_net_hide_sysctl(net)) table[0].procname = NULL; if (!net_eq(net, &init_net)) { @@ -603,11 +588,6 @@ static void nf_conntrack_standalone_fini_sysctl(struct net *net) kfree(table); } #else -int nf_conntrack_hide_sysctl(struct net *net) -{ - return 0; -} - static int nf_conntrack_netfilter_init_sysctl(struct net *net) { return 0; _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel