Done similar to proc_dostring/dointvec_immutable, it is for docker as it wants to write these non virtualized sysctl and fails as these one is readonly in CT, docker does it to fix problems with docker container stop. We can just enable these sysctl on host for docker.
Sysctl may_detach_mounts is RH7.4 specific and will be enabled by default (as in mainstream) later, these one is to allow to remove dentry if it is not a mountpoint in current mountns, though detaching mounts in other mount namespaces from these mountpoint. https://jira.sw.ru/browse/PSBM-74521 Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> --- include/linux/sysctl.h | 2 ++ kernel/sysctl.c | 12 ++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h index af467dc336ff..d39c9033bffb 100644 --- a/include/linux/sysctl.h +++ b/include/linux/sysctl.h @@ -66,6 +66,8 @@ extern int proc_dointvec_immutable(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); extern int proc_dostring_immutable(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); +extern int proc_dointvec_minmax_immutable(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos); /* * Register a set of sysctl names by calling register_sysctl_table diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 4e6d77ff4045..e2d83c602b01 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -1869,8 +1869,8 @@ static struct ctl_table fs_table[] = { .procname = "may_detach_mounts", .data = &may_detach_mounts, .maxlen = sizeof(may_detach_mounts), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, + .mode = 0644 | S_ISVTX, + .proc_handler = proc_dointvec_minmax_immutable, .extra1 = &zero, .extra2 = &one, }, @@ -2902,6 +2902,14 @@ int proc_dostring_immutable(struct ctl_table *table, int write, return proc_dostring(table, write, buffer, lenp, ppos); } +int proc_dointvec_minmax_immutable(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) +{ + if (write && sysctl_in_container()) + return 0; + return proc_dointvec_minmax(table, write, buffer, lenp, ppos); +} + #else /* CONFIG_PROC_SYSCTL */ int proc_dostring(struct ctl_table *table, int write, -- 2.13.5 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
