[RHEL7,COMMIT] ve/net/core: allow to call setsockopt(SO_RCVBUFFORCE) from Containers

Submitted by Vasily Averin on Dec. 15, 2020, 9:30 a.m.

Details

Message ID 202012150930.0BF9U43D006587@vz7build.vvs.sw.ru
State New
Series "ve/net/core: allow to call setsockopt(SO_RCVBUFFORCE) from Containers"
Headers show

Commit Message

Vasily Averin Dec. 15, 2020, 9:30 a.m.
The commit is pushed to "branch-rh7-3.10.0-1160.6.1.vz7.171.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.6.1.vz7.171.4
------>
commit bd3e846de350fcff5cfdcd6133adb7c610b3a4af
Author: Konstantin Khorenko <khorenko@virtuozzo.com>
Date:   Tue Dec 15 12:30:04 2020 +0300

    ve/net/core: allow to call setsockopt(SO_RCVBUFFORCE) from Containers
    
    "nft" util (in CentOS 8 environment) does use setsockopt(SO_RCVBUFFORCE)
    unconditionally, so we have to allow it from inside a Container.
    
    At the same time we don't want to allow a Container to set too much
    memory for a socket, so just threat SO_RCVBUFFORCE like SO_RCVBUF if
    called inside a Container.
    
    Simple rule to test:
    
      # NFT=/usr/sbin/nft ./run-tests.sh -v -g testcases/nft-f/0011manydefines_0
    
    which fails inside a Container because of not enough rcb buffer because
    of failed
      setsockopt(3, SOL_SOCKET, SO_RCVBUFFORCE, [10561584], 4) = -1
      EPERM (Operation not permitted)
    
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 net/core/sock.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/net/core/sock.c b/net/core/sock.c
index 07ea42f..44e91c8 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -793,6 +793,7 @@  set_sndbuf:
 		goto set_sndbuf;
 
 	case SO_RCVBUF:
+unpriv_rcvbuf:
 		/* Don't error on this BSD doesn't and if you think
 		 * about it this is right. Otherwise apps have to
 		 * play 'guess the biggest size' games. RCVBUF/SNDBUF
@@ -824,11 +825,15 @@  set_rcvbuf:
 		break;
 
 	case SO_RCVBUFFORCE:
-		if (!capable(CAP_NET_ADMIN)) {
+		if (!ve_capable(CAP_NET_ADMIN)) {
 			ret = -EPERM;
 			break;
 		}
 
+		/* nft utility uses this sockopt in CentOS 8 env */
+		if (!ve_is_super(get_exec_env()))
+			goto unpriv_rcvbuf;
+
 		/* No negative values (to prevent underflow, as val will be
 		 * multiplied by 2).
 		 */