| Message ID | 202011061607.0A6G7iGu2053569@finist-co8.sw.ru |
|---|---|
| State | New |
| Series | "ve/net/core: allow to call setsockopt(SO_SNDBUFFORCE) from Containers" |
| Headers | show
Delivered-To: criupatchwork@gmail.com Received: from imap.gmail.com [108.177.119.109] by patchwork.criu.org with IMAP (fetchmail-6.4.8) for <root@localhost> (single-drop); Thu, 12 Nov 2020 11:45:21 +0100 (CET) Received: by 2002:a9a:4d14:0:b029:97:cf3a:849f with SMTP id h20csp1396944lko; Fri, 6 Nov 2020 08:08:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJxx+yQy0EO0LFDnD4Ikn0oZkjr0ZErM6f86C5s4l8SVhTQoqqGSFtghOVNlRcOmDk4Tj7EO X-Received: by 2002:ac2:55a5:: with SMTP id y5mr1285035lfg.473.1604678928102; Fri, 06 Nov 2020 08:08:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604678928; cv=none; d=google.com; s=arc-20160816; b=DXAc2C1qcANs6p5h4ruDqxBKdGp1A7JBbc/fqUsbElptoe9t2bu+mWKOTTebHgA8Z7 XX8PwYbQIFKKy7bLKfAQLgpekAFKnij/UVLXXSycCbRCUKaJoo1do7OBOmYjKazyX1PM MDjhbUXHlbo+9g3d7lhXIZO/St+95o3V+o7UvM2aY9m2V7FOa7CNB34B81JztvYQp3NN opW45aZSM9ZqjouEL/bB+V7+izqMGpU11PwBFcOEzwfNTJTha/IMPKyOLRpn/5rGlEWS r0mZ+KNmSN6Sc2B8v6ctou76J52T1wYr+034fznlGHMtOeW7LZDKxRnPziTsoCxCT75j 2sjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :cc:mime-version:in-reply-to:to:from:message-id:date; bh=hSxShTb+Bpics5Q6WlQ66GCZH/LzzDSBw6K40p/dT1g=; b=LkQ9TcrOMLw53ZswPDkZ55t3FokjwSlPRvs5CIY2uBTl/0x6o0g339z6HeY/eRnCeO FjnM1DU7G+XrzGovRP8eK30xI4iI3nEyIBWE0WEimn2ZTap2STbhyS6rX3mjPVUqjVvG dnV292NuJRnAL9K8k8aaPyd7cW0nk/6SUvjaspQtdZuBpon/puyQPrMYjbxWlDz/Kcmc 1aBQiO9QLTVLyzadLGn/u7fj3WewQNeiRLMBiHUGpp1CTfOULTysvHDwCdGSCXmhEH1i 3xSGz4fZ+s3+WAmaDxlY2dll15stRwfFVFEBxnJjyJKiGP5sUZYrJS4Raf1DfDsSSa0E UbnA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 185.231.241.50 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=virtuozzo.com Return-Path: <devel-bounces@openvz.org> Received: from mail.openvz.org (mail.openvz.org. [185.231.241.50]) by mx.google.com with ESMTPS id e29si730152ljp.472.2020.11.06.08.08.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Nov 2020 08:08:48 -0800 (PST) Received-SPF: pass (google.com: domain of devel-bounces@openvz.org designates 185.231.241.50 as permitted sender) client-ip=185.231.241.50; Authentication-Results: mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 185.231.241.50 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=virtuozzo.com Received: from localhost.localdomain (localhost [127.0.0.1]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id 0A6G88gn032120; Fri, 6 Nov 2020 19:08:11 +0300 Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04lp2050.outbound.protection.outlook.com [104.47.14.50]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id 0A6G860p032117 for <devel@openvz.org>; Fri, 6 Nov 2020 19:08:06 +0300 Received: from AM6P194CA0035.EURP194.PROD.OUTLOOK.COM (2603:10a6:209:90::48) by DBBPR08MB5996.eurprd08.prod.outlook.com (2603:10a6:10:201::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21; Fri, 6 Nov 2020 16:08:10 +0000 Received: from VE1EUR01FT018.eop-EUR01.prod.protection.outlook.com (2603:10a6:209:90:cafe::6b) by AM6P194CA0035.outlook.office365.com (2603:10a6:209:90::48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21 via Frontend Transport; Fri, 6 Nov 2020 16:08:10 +0000 Authentication-Results: spf=temperror (sender IP is 185.231.240.75) smtp.mailfrom=virtuozzo.com; openvz.org; dkim=none (message not signed) header.d=none;openvz.org; dmarc=temperror action=none header.from=virtuozzo.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of virtuozzo.com: DNS Timeout) Received: from relay3.sw.ru (185.231.240.75) by VE1EUR01FT018.mail.protection.outlook.com (10.152.2.221) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21 via Frontend Transport; Fri, 6 Nov 2020 16:08:08 +0000 Received: from [10.94.5.150] (helo=finist-co8.sw.ru) by relay3.sw.ru with esmtp (Exim 4.94) (envelope-from <khorenko@virtuozzo.com>) id 1kb4H7-007deE-PB; Fri, 06 Nov 2020 19:07:41 +0300 Received: from finist-co8.sw.ru (localhost [127.0.0.1]) by finist-co8.sw.ru (8.15.2/8.15.2) with ESMTPS id 0A6G7iCN2053570 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Fri, 6 Nov 2020 19:07:44 +0300 Received: (from khorenko@localhost) by finist-co8.sw.ru (8.15.2/8.15.2/Submit) id 0A6G7iGu2053569; Fri, 6 Nov 2020 19:07:44 +0300 Date: Fri, 6 Nov 2020 19:07:44 +0300 Message-Id: <202011061607.0A6G7iGu2053569@finist-co8.sw.ru> X-Authentication-Warning: finist-co8.sw.ru: khorenko set sender to khorenko@virtuozzo.com using -f From: Konstantin Khorenko <khorenko@virtuozzo.com> To: Konstantin Khorenko <khorenko@virtuozzo.com> In-Reply-to: <fake.2020.11.06> X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: 483c0211-e6c5-4d3b-d57b-08d8826e272e X-MS-TrafficTypeDiagnostic: DBBPR08MB5996: X-Forefront-Antispam-Report: CIP:185.231.240.75; CTRY:RU; LANG:en; SCL:-1; SRV:; IPV:CAL; SFV:SKN; H:relay3.sw.ru; PTR:ErrorRetry; CAT:NONE; SFS:; DIR:INB; X-MS-Oob-TLC-OOBClassifiers: OLM:2958; X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?In8/dmdDTNXMou08mgnX43C2AFu/ZwbzVqMMbwExe+mQ2iAiGrbD7aXe/jBC?= =?us-ascii?Q?QPckumYcdTELdn81fwxRru4Bt1UVYr31XoEspG3nqgP+nvx1IM+emZtNciET?= =?us-ascii?Q?SSvAPTcuSWWZX81pzsVSrIsjNGjTtRkxqJ8B6wSz6OBTiMYYTQP6MQgNDbtn?= =?us-ascii?Q?jLoUbSVZvJsPJbFmKCDl3lQPJITbmevCnm3bolWBWgUskX+Zbqm9fKAEahrQ?= =?us-ascii?Q?wPBiFvbnSGbQiArrCZ4mkcBvN5EfKlvm/a0jcCKrwKpwGrLD4wXWnpLo7TeW?= =?us-ascii?Q?nl7L+muLwbFAO8F+xV1snKbL3dqokzAGXjyceIFjN2j7M2+bnFwOPUHxtxRQ?= =?us-ascii?Q?MdGrunozNunQdJKX/cXU1wRVkSODA3ZaClYB5F5OP/zBGHQPppNrL+731Swu?= =?us-ascii?Q?Ll4fv2BUXR0mwV1zpFZSDU9kC87VNxpA1xfUP50Xk43zPH5yDIJW/yZSVzRH?= =?us-ascii?Q?/8MbXGPI2Ie90ChhaSQZcQZuvpBUl9fMc5q1QRIO9H94pBuwtwI55iLODayk?= =?us-ascii?Q?zT10fcg7UVte9DfGYU01RskDV5oG2r+ziqxa54YASL3H2/Y2vQq3kzkheoHU?= =?us-ascii?Q?haUxUCcoGk1i5mq1kwPLX3knX8nYbPz/6ZVNtc4pin/R+syCmMDI/v22hDAS?= =?us-ascii?Q?TdrnJH0kThZIKUolILQRie8IDoEbgsUVa5Q29CXw8qRHtWImiMvWo6+mC5Fw?= =?us-ascii?Q?wwpNFpts8+YEMcYta7opSQqmxE9LVScki1FQQSBv4JRvH6iJCLNRkj5Zpmhz?= =?us-ascii?Q?pvhEkLR1DihJxC61ou7V5MvfpBhp1Rq1TLfxj0i55rttoQNv2Y6i/tBcQyN9?= =?us-ascii?Q?zZY9Pq3qLbheQKuUYhVUq9IUrX7y8X3QDNnGQZbYx4XLNKc9ud0ikTZa/DXJ?= =?us-ascii?Q?aPclq5y6iws8LyPBOMWCVKEqqf7qaaRdQit5yWFhq1IipjNi/k26il2uOKFL?= =?us-ascii?Q?TgSvcVbXmjPb0e868h5oGVDfRo6DG4xSBn7dsfdRQJmXyu00q+14TbfY6mlO?= =?us-ascii?Q?Z2TWddTrbBPW7O+2v1JttkjfJQjgJiniN4j/gVY2qB01fv36R5V0Jsb6cMoH?= =?us-ascii?Q?1ULUozARYM5UGHI8kw/bo+ZZ3ip9UbEKgI4HYYPbSK94wC1Hb6LOIkhCZL3V?= =?us-ascii?Q?3fsFjG28zKbZA9WDWUsWChjdq/MRZWfGb9OaR5ejPMH9kCvjdfoYZiZJqJZl?= =?us-ascii?Q?wMWxvesR19oQHlS2NFh3NgB8Py0HpLAJAQtCfML8DgqHMVrS+CycCY0Ua7FT?= =?us-ascii?Q?d1G2+97f27t2oQBYp82h6iwMqEADHgL/SV4DZvNcyEIt7lfv++zbpySDIvMb?= =?us-ascii?Q?+3IVfzA17ByModZf5TfE92oQSv7w+Pb4x+UBeqKdbHaQSkHhPyAJHNVpS9aj?= =?us-ascii?Q?BVQ5JpbFDTenaKqn1luC/HH5yOu/g89jWd8T6qG7POE4g4I3sk74Jvt3/d43?= =?us-ascii?Q?iyGI2WY6Q/GK3gr/D1zcQ8q8fH8t9+2X25uKBXAlURIm0SfBbvbt9g=3D=3D?= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Nov 2020 16:08:08.8289 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 483c0211-e6c5-4d3b-d57b-08d8826e272e X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=0bc7f26d-0264-416e-a6fc-8352af79c58f; Ip=[185.231.240.75]; Helo=[relay3.sw.ru] X-MS-Exchange-CrossTenant-AuthSource: VE1EUR01FT018.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB5996 X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 185.231.240.75 X-MS-Exchange-CrossPremises-TransportTrafficType: Email X-MS-Exchange-CrossPremises-AuthSource: VE1EUR01FT018.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossPremises-AuthAs: Anonymous X-MS-Exchange-CrossPremises-SCL: -1 X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent X-OrganizationHeadersPreserved: DBBPR08MB5996.eurprd08.prod.outlook.com Cc: OpenVZ devel <devel@openvz.org> Subject: [Devel] [PATCH RHEL8 COMMIT] ve/net/core: allow to call setsockopt(SO_SNDBUFFORCE) from Containers X-BeenThere: devel@openvz.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OpenVZ development <devel.openvz.org> List-Unsubscribe: <https://lists.openvz.org/mailman/options/devel>, <mailto:devel-request@openvz.org?subject=unsubscribe> List-Archive: <http://lists.openvz.org/pipermail/devel/> List-Post: <mailto:devel@openvz.org> List-Help: <mailto:devel-request@openvz.org?subject=help> List-Subscribe: <https://lists.openvz.org/mailman/listinfo/devel>, <mailto:devel-request@openvz.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: devel-bounces@openvz.org Errors-To: devel-bounces@openvz.org |
diff --git a/net/core/sock.c b/net/core/sock.c index e493bde5a958..5a30c0f694dc 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -750,6 +750,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, sock_valbool_flag(sk, SOCK_BROADCAST, valbool); break; case SO_SNDBUF: +unpriv_sndbuf: /* Don't error on this BSD doesn't and if you think * about it this is right. Otherwise apps have to * play 'guess the biggest size' games. RCVBUF/SNDBUF @@ -768,11 +769,15 @@ int sock_setsockopt(struct socket *sock, int level, int optname, break; case SO_SNDBUFFORCE: - if (!capable(CAP_NET_ADMIN)) { + if (!ve_capable(CAP_NET_ADMIN)) { ret = -EPERM; break; } + /* nft utility uses this sockopt in CentOS 8 env */ + if (!ve_is_super(get_exec_env())) + goto unpriv_sndbuf; + /* No negative values (to prevent underflow, as val will be * multiplied by 2). */
The commit is pushed to "work" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh8-4.18.0-193.6.3.vz8.4.16 ------> commit 87fdad3c1e3568f3ac26a65839bdc90409a22cdc Author: Konstantin Khorenko <khorenko@virtuozzo.com> Date: Thu Oct 24 12:53:36 2019 +0300 ve/net/core: allow to call setsockopt(SO_SNDBUFFORCE) from Containers "nft" util (in CentOS 8 environment) does use setsockopt(SO_SNDBUFFORCE) unconditionally, so we have to allow it from inside a Container. At the same time we don't want to allow a Container to set too much memory for a socket, so just threat SO_SNDBUFFORCE like SO_SNDBUF if called inside a Container. Simple rule to test: # nft add rule filter INPUT ct state related,established accept https://jira.sw.ru/browse/PSBM-98794 Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> (cherry picked from vz7 commit 8f3567b1f4af7d33c15856ae402ef2025909fd14) Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com> --- net/core/sock.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)