[RHEL7,COMMIT] ve/capability: introduce capable() wrapper which honors CT features

Submitted by Konstantin Khorenko on May 24, 2019, 3:20 p.m.

Details

Message ID 201905241520.x4OFKaES002166@finist-ce7.sw.ru
State New
Series "ve/time: allow date/time management from trusted Containers"
Headers show

Commit Message

Konstantin Khorenko May 24, 2019, 3:20 p.m.
The commit is pushed to "branch-rh7-3.10.0-957.12.2.vz7.96.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-957.12.2.vz7.96.4
------>
commit dbb855001600263acfc9cad880d18c574205eb2f
Author: Konstantin Khorenko <khorenko@virtuozzo.com>
Date:   Fri May 24 11:58:34 2019 +0300

    ve/capability: introduce capable() wrapper which honors CT features
    
    Containers might have special features which affect capabilities,
    so here is a wrapper for code simplicity.
    
    https://jira.sw.ru/browse/PSBM-94635
    
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 include/linux/capability.h |  1 +
 kernel/capability.c        | 13 +++++++++++++
 2 files changed, 14 insertions(+)

Patch hide | download patch | download mbox

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 17dd0dd7e7e8..a204f282cd65 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -214,6 +214,7 @@  extern bool has_ns_capability_noaudit(struct task_struct *t,
 extern bool capable(int cap);
 extern bool ns_capable(struct user_namespace *ns, int cap);
 extern bool ve_capable(int cap);
+extern bool feature_capable(int feature, int cap);
 extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
 extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
 
diff --git a/kernel/capability.c b/kernel/capability.c
index 29b393ec4553..fd9a523b457f 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -408,11 +408,24 @@  bool ve_capable(int cap)
 
 	return ns_capable(cred->user_ns, cap);
 }
+
+bool feature_capable(int feature, int cap)
+{
+	if (get_exec_env()->features & feature)
+		return ve_capable(cap);
+	else
+		return capable(cap);
+}
 #else
 bool ve_capable(int cap)
 {
 	return capable(cap);
 }
+
+bool feature_capable(int feature, int cap)
+{
+	return capable(cap);
+}
 #endif
 
 EXPORT_SYMBOL_GPL(ve_capable);