[RHEL8,COMMIT] ve/cgroup: Allow mounting cgroups in containers.

Submitted by Konstantin Khorenko on Oct. 29, 2019, 11:37 a.m.

Details

Message ID 201910291137.x9TBbd2i007381@finist_co8.work.ct
State New
Series "cgroup: Allow mounting cgroups in containers."
Headers show

Commit Message

Konstantin Khorenko Oct. 29, 2019, 11:37 a.m.
The commit is pushed to "branch-rh8-4.18.0-80.1.2.vz8.2.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-80.1.2.vz8.2.4
------>
commit 47e936723b2a0a995139cf6b5467c4df6b1378f1
Author: Andrey Ryabinin <aryabinin@virtuozzo.com>
Date:   Tue Oct 29 14:37:38 2019 +0300

    ve/cgroup: Allow mounting cgroups in containers.
    
    With addition of the cgroup namespaces our old scheme of bindmounting
    cgroups in container doesn't work anymore. In fact we don't need
    it, because we have cgroup namespaces. But our ve-specific permission
    check in cgroup_mount() breaks cgroup namespacing.
    
    Just remove it, we have proper permission checks based on namespaces
    and don't need this ve-crud anymore.
    
    Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 kernel/cgroup/cgroup.c | 6 ------
 1 file changed, 6 deletions(-)

Patch hide | download patch | download mbox

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 223ac0e46969..7376dd53cb84 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -2121,12 +2121,6 @@  static struct dentry *cgroup_mount(struct file_system_type *fs_type,
 	struct dentry *dentry;
 	int ret;
 
-#ifdef CONFIG_VE
-	if (!ve_is_super(get_exec_env()) && !(flags & MS_KERNMOUNT)) {
-		if (!get_exec_env()->is_pseudosuper)
-			return ERR_PTR(-EACCES);
-	}
-#endif
 	get_cgroup_ns(ns);
 
 	/* Check if the caller has permission to mount. */