| Message ID | 202011061607.0A6G7sQq2053644@finist-co8.sw.ru |
|---|---|
| State | New |
| Series | "ve/net/core: allow to call setsockopt(SO_RCVBUFFORCE) from Containers" |
| Headers | show
Delivered-To: criupatchwork@gmail.com Received: from imap.gmail.com [108.177.119.109] by patchwork.criu.org with IMAP (fetchmail-6.4.8) for <root@localhost> (single-drop); Thu, 12 Nov 2020 11:45:19 +0100 (CET) Received: by 2002:a9a:4d14:0:b029:97:cf3a:849f with SMTP id h20csp1396908lko; Fri, 6 Nov 2020 08:08:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJzTcHsbejd5MG2tzpGq776AUU097fKdwSLRCDIwCPGlkgMK5B2TWfa+WoBgeXqCUwaTbyJ+ X-Received: by 2002:a2e:740d:: with SMTP id p13mr851930ljc.306.1604678925258; Fri, 06 Nov 2020 08:08:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604678925; cv=none; d=google.com; s=arc-20160816; b=D4o+ZqBsglATeT7Ca84QDfhjf+bgXUWekIl4GZbSbVxdVhsiOUq6AXlfSpVFc4q5ce q+qHgBY0cr1o6PO7VhRI1zkADU4PISplSvNqNsljLO5DfrMiW8CXl36/HVknKotTOw4z O7+9iukFliaWW+6hfHToFtG3RKXWGZHIaPsYIX0lomKM7eyA4g2AU6cvXBzel1BM5nfh DyFSfmx/MX2ACYkra2yMAUg7fTbC4757SCoIwJBapLntG/4MRJLYxIN2tm9wYINME45K wa+O3g0TwUEOU9y99TdmRZFBXOueE3w87dmkYd8juR8TI12Q6+l2R8nxHx0hmML+OcjG hZ9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :cc:mime-version:in-reply-to:to:from:message-id:date; bh=utYHucYSWHUNRLf8fsv619YN3eKBt+bdjsaf7mBqeu8=; b=B2qF5TGXdJETLRfsnagPysVZHO5w8eBUh0Frj6pzrr9L2KnNYoHFNOyUq2cG3PdE0k fQR8128Q4MbVtmAd2cvIq35b4Wyl3IvmCX05l0XHE4PvDSOj3ZrVt0GAeeQY0uRkkFy+ I9RLqohNMjHk91XxgiXk4jhoGJ8Og/2czhpd6MkNApFpFcmUM6KcRNdLbe603+xk7MMK N2kWrX2SjavR3EDnT/4qrPW9jyI2fajfeu9FipfpZ021etmF2/Nk0yZdTierNN9nYwXY bl71D7nPHNuHgZ5Dasvx2oSXUp/ORujHoG2PWxepi9eOsq8qC4RB4qcd5gQlzkLD/IcE 0CVQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 185.231.241.50 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=virtuozzo.com Return-Path: <devel-bounces@openvz.org> Received: from mail.openvz.org (mail.openvz.org. [185.231.241.50]) by mx.google.com with ESMTPS id q12si724665lfd.439.2020.11.06.08.08.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Nov 2020 08:08:45 -0800 (PST) Received-SPF: pass (google.com: domain of devel-bounces@openvz.org designates 185.231.241.50 as permitted sender) client-ip=185.231.241.50; Authentication-Results: mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 185.231.241.50 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=virtuozzo.com Received: from localhost.localdomain (localhost [127.0.0.1]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id 0A6G8OgD032136; Fri, 6 Nov 2020 19:08:24 +0300 Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp2053.outbound.protection.outlook.com [104.47.10.53]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id 0A6G8G0M032128 for <devel@openvz.org>; Fri, 6 Nov 2020 19:08:16 +0300 Received: from AM5PR0602CA0012.eurprd06.prod.outlook.com (2603:10a6:203:a3::22) by AM0PR08MB3554.eurprd08.prod.outlook.com (2603:10a6:208:e3::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.29; Fri, 6 Nov 2020 16:08:19 +0000 Received: from HE1EUR01FT053.eop-EUR01.prod.protection.outlook.com (2603:10a6:203:a3:cafe::2f) by AM5PR0602CA0012.outlook.office365.com (2603:10a6:203:a3::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21 via Frontend Transport; Fri, 6 Nov 2020 16:08:19 +0000 Authentication-Results: spf=pass (sender IP is 185.231.240.75) smtp.mailfrom=virtuozzo.com; openvz.org; dkim=none (message not signed) header.d=none; openvz.org; dmarc=pass action=none header.from=virtuozzo.com; Received-SPF: Pass (protection.outlook.com: domain of virtuozzo.com designates 185.231.240.75 as permitted sender) receiver=protection.outlook.com; client-ip=185.231.240.75; helo=relay3.sw.ru; Received: from relay3.sw.ru (185.231.240.75) by HE1EUR01FT053.mail.protection.outlook.com (10.152.1.73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21 via Frontend Transport; Fri, 6 Nov 2020 16:08:19 +0000 Received: from [10.94.5.150] (helo=finist-co8.sw.ru) by relay3.sw.ru with esmtp (Exim 4.94) (envelope-from <khorenko@virtuozzo.com>) id 1kb4HI-007deI-8F; Fri, 06 Nov 2020 19:07:52 +0300 Received: from finist-co8.sw.ru (localhost [127.0.0.1]) by finist-co8.sw.ru (8.15.2/8.15.2) with ESMTPS id 0A6G7sDL2053645 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Fri, 6 Nov 2020 19:07:55 +0300 Received: (from khorenko@localhost) by finist-co8.sw.ru (8.15.2/8.15.2/Submit) id 0A6G7sQq2053644; Fri, 6 Nov 2020 19:07:54 +0300 Date: Fri, 6 Nov 2020 19:07:54 +0300 Message-Id: <202011061607.0A6G7sQq2053644@finist-co8.sw.ru> X-Authentication-Warning: finist-co8.sw.ru: khorenko set sender to khorenko@virtuozzo.com using -f From: Konstantin Khorenko <khorenko@virtuozzo.com> To: Konstantin Khorenko <khorenko@virtuozzo.com> In-Reply-to: <20201105152053.13921-1-khorenko@virtuozzo.com> X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: b06bd767-6065-4474-b5b9-08d8826e2d7f X-MS-TrafficTypeDiagnostic: AM0PR08MB3554: X-Forefront-Antispam-Report: CIP:185.231.240.75; CTRY:RU; LANG:en; SCL:-1; SRV:; IPV:CAL; SFV:SKN; H:relay3.sw.ru; PTR:relay.sw.ru; CAT:NONE; SFS:; DIR:INB; X-MS-Oob-TLC-OOBClassifiers: OLM:3631; X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?EMVjqw9p3sXOBVPKP7OQCKnNR7B0gAvFZi/4L723lqhaJXY3TaaunL1Q518m?= =?us-ascii?Q?y4H/TVffZFn9ZHb3X0OXjvNyOc60z4nQSq3J4m9aYahNAptDsDApIRw3syIV?= =?us-ascii?Q?dH2E/jVXkbTGGEBBVGXEq4QnQDpdXYKeb/E586HuIGlwx9wbJawVhI3YNo7w?= =?us-ascii?Q?iOFiM231eqO3Ljfwzr22qh4y/jjXEhheONlSZ8nXQ2D77SGlCRn1NYosnk/i?= =?us-ascii?Q?02b4sXJZeJeL3iuaVkKhJNVN894ErLbeF7dYvbdnT9onQ80hYXSR/HVVZczv?= =?us-ascii?Q?5qtapydDrDJ9sLe5IpO+aEo9Hw70N8M9TI3ITRYJ8oIp2pl+vtrvrfuTaJD3?= =?us-ascii?Q?tq/+KTZr4MmFcYtD6utxdOBS0QnKfQ36XW2mW0inI7ex4aabMDxU8V+k0r0i?= =?us-ascii?Q?aZrFEfLpCfeD09/zog8l0XAFoLX6B5aw68R+jfJrlS96MDOdRyQHAeXtJ6X4?= =?us-ascii?Q?Nqfd2nxiokoiIw/NnemFa4Ezfo/R9A5Sf68IGB4i0E0M5v4xvd0WESX13xQI?= =?us-ascii?Q?TswRzetV8B3pEQbEq4Gyaa7nzIChxwfpb6O24PXc+bf1ng7c7AWU5Ps90MoY?= =?us-ascii?Q?obEcoWZFgBbAYvghHhVF4WSQTxCcUWMZ0dfKku0kkHulZYlCpLXsj6MuHaVB?= =?us-ascii?Q?mAF0SarqDh3T8ZP1uye26TK70JpDAaCmwHgl+tYiB9xB4uSdgkMycfX8sh85?= =?us-ascii?Q?7p2XVPQVsN1PExVCieNyBPZFlLFCFJ3vKjUb97VjzfF+Cu+hTSIqPhfRWHc6?= =?us-ascii?Q?DQJXVXgeCzRoHkclV3OXkQ0EyGE+oz0fvK2hTBlLCSKHnKQSRtVl7O5BQtKM?= =?us-ascii?Q?cukuxy+01aylm3CM2nFgyOui71jvbhR1HbauWqHauAEFjyUU34Pz9du/7f9P?= =?us-ascii?Q?+ZSZ9WzE2E5XiX9MWh+IAuTZyr0krK2BDprjXJH8C+K9nc6bhxDQepf3pj2H?= =?us-ascii?Q?+T0pQiEN1N7X3Cd+d2Ym+BJm1x2+DTHrbLbnqOji35vfC589zzNecVLwTAlD?= =?us-ascii?Q?58IpLTMvTeBzPpotFdsd2REfyNTwOYAZOgonEv982dOna+W5t6RpjBCgERQ2?= =?us-ascii?Q?Kv/lw598Zqxd0IKjoe8+o7iz8PtPyMkFGFEFiGGlYJuvW8Bc3tAm3UJOwqR4?= =?us-ascii?Q?wf7zLzrIxxY0QRQA5jQAQbO8XBaX+4LAznYLeD/5/jJaUjbTkQ4LB3jtOoUv?= =?us-ascii?Q?JlcnrbdT+W0pSqkXoiTGWp6qqlvN0YCl49crYNhkPq01uxt2ylJ6RN+ZVg5n?= =?us-ascii?Q?EirUg8H+ihB+cOqxhex/gVnr9/y9Xa1KtR5aLI7NCgkhncRxs48kV4U+NKK/?= =?us-ascii?Q?11Yk/GuINFJQxMgMkE3Weotfkl3qJ5wzXRLsmLMBY1bzy3XtlP30kzUMKQQV?= =?us-ascii?Q?5zQKJATjtDMlnH0MEfpFjHOJ50PQQxjzmRiWTn3sDTQnKjp+MilFCy504HdR?= =?us-ascii?Q?v9lB+W0/DzUvNDPrmakbGYlwklslzGQJoASgnN9B+oX7nxW1ekhenn3hwUSy?= =?us-ascii?Q?fXQG0YA2OQY4djw=3D?= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Nov 2020 16:08:19.4193 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b06bd767-6065-4474-b5b9-08d8826e2d7f X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=0bc7f26d-0264-416e-a6fc-8352af79c58f; Ip=[185.231.240.75]; Helo=[relay3.sw.ru] X-MS-Exchange-CrossTenant-AuthSource: HE1EUR01FT053.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3554 X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 185.231.240.75 X-MS-Exchange-CrossPremises-TransportTrafficType: Email X-MS-Exchange-CrossPremises-AuthSource: HE1EUR01FT053.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossPremises-AuthAs: Anonymous X-MS-Exchange-CrossPremises-SCL: -1 X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent X-OrganizationHeadersPreserved: AM0PR08MB3554.eurprd08.prod.outlook.com Cc: OpenVZ devel <devel@openvz.org> Subject: [Devel] [PATCH RHEL8 COMMIT] ve/net/core: allow to call setsockopt(SO_RCVBUFFORCE) from Containers X-BeenThere: devel@openvz.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OpenVZ development <devel.openvz.org> List-Unsubscribe: <https://lists.openvz.org/mailman/options/devel>, <mailto:devel-request@openvz.org?subject=unsubscribe> List-Archive: <http://lists.openvz.org/pipermail/devel/> List-Post: <mailto:devel@openvz.org> List-Help: <mailto:devel-request@openvz.org?subject=help> List-Subscribe: <https://lists.openvz.org/mailman/listinfo/devel>, <mailto:devel-request@openvz.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: devel-bounces@openvz.org Errors-To: devel-bounces@openvz.org |
diff --git a/net/core/sock.c b/net/core/sock.c index 5a30c0f694dc..f529d43e8cff 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -786,6 +786,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, goto set_sndbuf; case SO_RCVBUF: +unpriv_rcvbuf: /* Don't error on this BSD doesn't and if you think * about it this is right. Otherwise apps have to * play 'guess the biggest size' games. RCVBUF/SNDBUF @@ -817,11 +818,15 @@ int sock_setsockopt(struct socket *sock, int level, int optname, break; case SO_RCVBUFFORCE: - if (!capable(CAP_NET_ADMIN)) { + if (!ve_capable(CAP_NET_ADMIN)) { ret = -EPERM; break; } + /* nft utility uses this sockopt in CentOS 8 env */ + if (!ve_is_super(get_exec_env())) + goto unpriv_rcvbuf; + /* No negative values (to prevent underflow, as val will be * multiplied by 2). */
The commit is pushed to "work" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh8-4.18.0-193.6.3.vz8.4.16 ------> commit 803cc58fefe17296602a6c9bf1cd4730ff92a940 Author: Konstantin Khorenko <khorenko@virtuozzo.com> Date: Fri Nov 6 19:07:54 2020 +0300 ve/net/core: allow to call setsockopt(SO_RCVBUFFORCE) from Containers "nft" util (in CentOS 8 environment) does use setsockopt(SO_RCVBUFFORCE) unconditionally, so we have to allow it from inside a Container. At the same time we don't want to allow a Container to set too much memory for a socket, so just threat SO_RCVBUFFORCE like SO_RCVBUF if called inside a Container. Simple rule to test: # NFT=/usr/sbin/nft ./run-tests.sh -v -g testcases/nft-f/0011manydefines_0 which fails inside a Container because of not enough rcb buffer because of failed setsockopt(3, SOL_SOCKET, SO_RCVBUFFORCE, [10561584], 4) = -1 EPERM (Operation not permitted) https://jira.sw.ru/browse/PSBM-121791 Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com> --- net/core/sock.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)