We had the same thing with ve cgroup, so let's follow this pattern, only the task which created VE namespace and it's ancestors are allowed untill ve is not running.
Note: We might reconsider this as we might replace ve START with clonning ve_namespace, and then at this stage it would always be running already. https://virtuozzo.atlassian.net/browse/VSTOR-119941 Signed-off-by: Pavel Tikhomirov <[email protected]> Feature: ve: ve generic structures --- kernel/ve/ve_namespace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/ve/ve_namespace.c b/kernel/ve/ve_namespace.c index c8f89f57ab03..44cb7f0c66b0 100644 --- a/kernel/ve/ve_namespace.c +++ b/kernel/ve/ve_namespace.c @@ -196,6 +196,9 @@ static int ve_ns_install(struct nsset *nsset, struct ns_common *new) !ns_capable(nsset->cred->user_ns, CAP_SYS_ADMIN)) return -EPERM; + if (!VE_IS_RUNNING(ve_ns->ve)) + return -EINVAL; + /* * Don't need to put_ve_ns(nsset->ve_ns) here, * as at this point it is always zero. -- 2.52.0 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
