The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-327.10.1.vz7.12.3 ------> commit 31fe0714d2e7d37991312e390d6e78e4827dcc74 Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> Date: Thu Mar 24 20:15:32 2016 +0400
ve/cgroup: Prohibit access to toplevel cgroups in CT To allow write access to top-level cgroup e.g. on CT start and resume one need to enable ve.pseudosuper, appropriate patch sent to libvzctl. libvzctl pull request: https://src.openvz.org/projects/OVZ/repos/libvzctl/pull-requests/50/ (available in libvzctl-7.0.185) https://jira.sw.ru/browse/PSBM-44981 Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> Acked-by: Cyrill Gorcunov <gorcu...@openvz.org> --- kernel/cgroup.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/cgroup.c b/kernel/cgroup.c index 3bc12e4..fa4eeb5 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -2411,10 +2411,10 @@ static ssize_t cgroup_file_write(struct file *file, const char __user *buf, * userspace from ve0 should *never* bindmount it * inside a container FS. */ - if (!ve_is_super(get_exec_env())) { - if (!cgrp->parent || !cgrp->parent->parent) - pr_warn_once("FIXME: Write into toplevel cgroup, restore?"); - } + if (!ve_is_super(get_exec_env()) + && (!cgrp->parent || !cgrp->parent->parent) + && !get_exec_env()->is_pseudosuper) + return -EPERM; #endif if (cgroup_is_removed(cgrp)) _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel