[RHEL7,COMMIT] ve/time: introduce CT feature to allow setting date/time

Submitted by Konstantin Khorenko on May 24, 2019, 3:21 p.m.

Details

Message ID 201905241521.x4OFLBEv002196@finist-ce7.sw.ru
State New
Series "ve/time: allow date/time management from trusted Containers"
Headers show

Commit Message

Konstantin Khorenko May 24, 2019, 3:21 p.m.
The commit is pushed to "branch-rh7-3.10.0-957.12.2.vz7.96.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-957.12.2.vz7.96.4
------>
commit f80fe97979ea2d08a116878a5c03128575272f89
Author: Konstantin Khorenko <khorenko@virtuozzo.com>
Date:   Fri May 24 11:22:04 2019 +0300

    ve/time: introduce CT feature to allow setting date/time
    
    Sometimes people would like to run ntp server inside trusted Containers,
    so let's introduce an appropriate CT feature for that.
    
    Note: time is NOT vistualized, so Container changes date/time of the
    whole Node.
    
    https://jira.sw.ru/browse/PSBM-94635
    
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 include/uapi/linux/vzcalluser.h | 1 +
 security/commoncap.c            | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/include/uapi/linux/vzcalluser.h b/include/uapi/linux/vzcalluser.h
index 4a818bd9fba3..063181d3c572 100644
--- a/include/uapi/linux/vzcalluser.h
+++ b/include/uapi/linux/vzcalluser.h
@@ -122,6 +122,7 @@  struct env_create_param3 {
 #define VE_FEATURE_IPGRE	(1ULL << 6)
 #define VE_FEATURE_BRIDGE	(1ULL << 7)
 #define VE_FEATURE_NFSD		(1ULL << 8)
+#define VE_FEATURE_TIME		(1ULL << 9)
 
 #define VE_FEATURES_OLD		(VE_FEATURE_SYSFS)
 #define VE_FEATURES_DEF		(VE_FEATURE_SYSFS | VE_FEATURE_DEF_PERMS)
diff --git a/security/commoncap.c b/security/commoncap.c
index 7377414569ff..099f97f86181 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -31,6 +31,8 @@ 
 #include <linux/binfmts.h>
 #include <linux/personality.h>
 
+#include <uapi/linux/vzcalluser.h>
+
 /*
  * If a non-root user executes a setuid-root binary in
  * !secure(SECURE_NOROOT) mode, then we raise capabilities.
@@ -118,7 +120,7 @@  int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
  */
 int cap_settime(const struct timespec *ts, const struct timezone *tz)
 {
-	if (!capable(CAP_SYS_TIME))
+	if (!feature_capable(VE_FEATURE_TIME, CAP_SYS_TIME))
 		return -EPERM;
 	return 0;
 }