[Devel] [PATCH RHEL7 COMMIT] cgroup: mount -- Disable mounting from inside of VE context

Fri, 29 May 2015 05:57:10 -0700 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at 
https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.7
------>
commit bd28914a36ef98c893dbeb269a0bd4859151936e
Author: Cyrill Gorcunov <gorcu...@odin.com>
Date:   Fri May 29 16:50:49 2015 +0400

    cgroup: mount -- Disable mounting from inside of VE context
    
    Even mounting knowing cgroups (ie ones which already known to VE and
    been mounted by vzctl or any other tool for containter sake) is not
    that harmless as it might look like. In particular this introduce
    additional performance hit. So because we are using bindmount
    strategy to grant cgorups to VE we don't need to mount it from
    inside of VE anymore and can simply disable.
    
    khorenko@:
    This patch reverts commit 8d96fa6e147c
    ("ve/cgroup: Allow mounting existing cgroups inside container").
    Previously we enabled possiblity to mount cgroups from inside a CT
    because CRIU required it on restore.
    Now we have tought libvzctl to prepare cgroups before CRIU restore,
    so we are safe to disable this back.
    
    Signed-off-by: Cyrill Gorcunov <gorcu...@virtuozzo.com>
    Reviewed-by: Vladimir Davydov <vdavy...@parallels.com>
    
    CC: Konstantin Khorenko <khore...@virtuozzo.com>
    CC: Pavel Emelyanov <xe...@virtuozzo.com>
    CC: Andrey Vagin <ava...@virtuozzo.com>
---
 kernel/cgroup.c | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 47013a0..2e40430 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1572,6 +1572,11 @@ static struct dentry *cgroup_mount(struct 
file_system_type *fs_type,
        struct cgroupfs_root *new_root;
        struct inode *inode;
 
+#ifdef CONFIG_VE
+       if (!ve_is_super(get_exec_env()) && !(flags & MS_KERNMOUNT))
+               return ERR_PTR(-EACCES);
+#endif
+
        /* First find the desired set of subsystems */
        if (!(flags & MS_KERNMOUNT)) {
                mutex_lock(&cgroup_mutex);
@@ -1615,19 +1620,6 @@ static struct dentry *cgroup_mount(struct 
file_system_type *fs_type,
                int i;
                struct css_set *cg;
 
-#ifdef CONFIG_VE
-               /*
-                * We don't allow to mount new roots from inside
-                * of container (but have to allow mounting existing
-                * cgroups, because the VE restore procedure is
-                * implemented from inside of container environment).
-                */
-               if (!ve_is_super(get_exec_env())) {
-                       ret = -EACCES;
-                       goto drop_new_super;
-               }
-#endif
-
                BUG_ON(sb->s_root != NULL);
 
                ret = cgroup_get_rootdir(sb);
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to