The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-327.18.2.vz7.14.17 ------> commit cb6242e909e43182b9bdcd08342b50500d5bad84 Author: Vladimir Davydov <vdavy...@virtuozzo.com> Date: Wed Jun 22 16:48:45 2016 +0400
ve: drop not used CAP_VE_ADMIN and CAP_VE_NET_ADMIN Not needed anymore as we use user ns for capability checking. Also, move capable_setveid() helper to ve.h so as not to pollute generic headers. Signed-off-by: Vladimir Davydov <vdavy...@virtuozzo.com> --- include/linux/ve.h | 3 +++ include/uapi/linux/capability.h | 55 ----------------------------------------- 2 files changed, 3 insertions(+), 55 deletions(-) diff --git a/include/linux/ve.h b/include/linux/ve.h index cea3a87..247cadb 100644 --- a/include/linux/ve.h +++ b/include/linux/ve.h @@ -138,6 +138,9 @@ struct ve_devmnt { #define VE_MEMINFO_DEFAULT 1 /* default behaviour */ #define VE_MEMINFO_SYSTEM 0 /* disable meminfo virtualization */ +#define capable_setveid() \ + (ve_is_super(get_exec_env()) && capable(CAP_SYS_ADMIN)) + extern int nr_ve; extern struct proc_dir_entry *proc_vz_dir; extern struct cgroup_subsys ve_subsys; diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h index cadbfe6..b3d37bb 100644 --- a/include/uapi/linux/capability.h +++ b/include/uapi/linux/capability.h @@ -307,61 +307,6 @@ struct vfs_cap_data { #define CAP_SETFCAP 31 -#ifdef __KERNEL__ -/* - * Important note: VZ capabilities do intersect with CAP_AUDIT - * this is due to compatibility reasons. Nothing bad. - * Both VZ and Audit/SELinux caps are disabled in VPSs. - */ - -/* Allow access to all information. In the other case some structures will be - * hiding to ensure different Virtual Environment non-interaction on the same - * node (NOW OBSOLETED) - */ -#define CAP_SETVEID 29 - -#define capable_setveid() ({ \ - ve_is_super(get_exec_env()) && \ - (capable(CAP_SYS_ADMIN) || \ - capable(CAP_VE_ADMIN)); \ - }) - -/* - * coinsides with CAP_AUDIT_CONTROL but we don't care, since - * audit is disabled in Virtuozzo - */ -#define CAP_VE_ADMIN 30 - -#ifdef CONFIG_VE - -/* Replacement for CAP_NET_ADMIN: - delegated rights to the Virtual environment of its network administration. - For now the following rights have been delegated: - - Allow setting arbitrary process / process group ownership on sockets - Allow interface configuration - */ -#define CAP_VE_NET_ADMIN CAP_VE_ADMIN - -/* Replacement for CAP_SYS_ADMIN: - delegated rights to the Virtual environment of its administration. - For now the following rights have been delegated: - */ -/* Allow mount/umount/remount */ -/* Allow examination and configuration of disk quotas */ -/* Allow removing semaphores */ -/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores - and shared memory */ -/* Allow locking/unlocking of shared memory segment */ -/* Allow forged pids on socket credentials passing */ - -#define CAP_VE_SYS_ADMIN CAP_VE_ADMIN -#else -#define CAP_VE_NET_ADMIN CAP_NET_ADMIN -#define CAP_VE_SYS_ADMIN CAP_SYS_ADMIN -#endif -#endif - /* Override MAC access. The base kernel enforces no MAC policy. An LSM may enforce a MAC policy, and if it does and it chooses _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel