[Devel] [PATCH RHEL7 COMMIT] ve/cgroup: Prohibit access to toplevel cgroups in CT

[Konstantin Khorenko]

The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will 
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit 31fe0714d2e7d37991312e390d6e78e4827dcc74
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date:   Thu Mar 24 20:15:32 2016 +0400

    ve/cgroup: Prohibit access to toplevel cgroups in CT
    
    To allow write access to top-level cgroup e.g. on CT start and resume
    one need to enable ve.pseudosuper, appropriate patch sent to libvzctl.
    
    libvzctl pull request:
    https://src.openvz.org/projects/OVZ/repos/libvzctl/pull-requests/50/
    (available in libvzctl-7.0.185)
    
    https://jira.sw.ru/browse/PSBM-44981
    
    Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
    Acked-by: Cyrill Gorcunov <gorcu...@openvz.org>
---
 kernel/cgroup.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 3bc12e4..fa4eeb5 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2411,10 +2411,10 @@ static ssize_t cgroup_file_write(struct file *file, 
const char __user *buf,
         * userspace from ve0 should *never* bindmount it
         * inside a container FS.
         */
-       if (!ve_is_super(get_exec_env())) {
-               if (!cgrp->parent || !cgrp->parent->parent)
-                       pr_warn_once("FIXME: Write into toplevel cgroup, 
restore?");
-       }
+       if (!ve_is_super(get_exec_env())
+           && (!cgrp->parent || !cgrp->parent->parent)
+           && !get_exec_env()->is_pseudosuper)
+               return -EPERM;
 #endif
 
        if (cgroup_is_removed(cgrp))
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel