[RHEL7,COMMIT] sysctl: make may_detach_mounts immutable in CT

Submitted by Konstantin Khorenko on Oct. 11, 2017, 3:01 p.m.

Details

Message ID 201710111501.v9BF1SOt001010@finist_ce7.work
State New
Series "sysctl: make may_detach_mounts immutable in CT"
Headers show

Commit Message

Konstantin Khorenko Oct. 11, 2017, 3:01 p.m.
The commit is pushed to "branch-rh7-3.10.0-693.1.1.vz7.37.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.1.1.vz7.37.11
------>
commit 90ac1ded3655298386357beadab5e1182fda2181
Author: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Date:   Wed Oct 11 18:01:27 2017 +0300

    sysctl: make may_detach_mounts immutable in CT
    
    Done similar to proc_dostring/dointvec_immutable, it is for docker
    as it wants to write these non virtualized sysctl and fails as these
    one is readonly in CT, docker does it to fix problems with docker
    container stop. We can just enable these sysctl on host for docker.
    
    Sysctl may_detach_mounts is RH7.4 specific and will be enabled by
    default (as in mainstream) later, these one is to allow to remove
    dentry if it is not a mountpoint in current mountns, though detaching
    mounts in other mount namespaces from these mountpoint.
    
    https://jira.sw.ru/browse/PSBM-74521
    Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 include/linux/sysctl.h |  2 ++
 kernel/sysctl.c        | 12 ++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index af467dc..d39c903 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -66,6 +66,8 @@  extern int proc_dointvec_immutable(struct ctl_table *table, int write,
 		void __user *buffer, size_t *lenp, loff_t *ppos);
 extern int proc_dostring_immutable(struct ctl_table *table, int write,
 		void __user *buffer, size_t *lenp, loff_t *ppos);
+extern int proc_dointvec_minmax_immutable(struct ctl_table *table, int write,
+		void __user *buffer, size_t *lenp, loff_t *ppos);
 
 /*
  * Register a set of sysctl names by calling register_sysctl_table
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 4e6d77f..e2d83c6 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1869,8 +1869,8 @@  static struct ctl_table fs_table[] = {
 		.procname	= "may_detach_mounts",
 		.data		= &may_detach_mounts,
 		.maxlen		= sizeof(may_detach_mounts),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec_minmax,
+		.mode		= 0644 | S_ISVTX,
+		.proc_handler	= proc_dointvec_minmax_immutable,
 		.extra1		= &zero,
 		.extra2		= &one,
 	},
@@ -2902,6 +2902,14 @@  int proc_dostring_immutable(struct ctl_table *table, int write,
 	return proc_dostring(table, write, buffer, lenp, ppos);
 }
 
+int proc_dointvec_minmax_immutable(struct ctl_table *table, int write,
+		void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	if (write && sysctl_in_container())
+		return 0;
+	return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+}
+
 #else /* CONFIG_PROC_SYSCTL */
 
 int proc_dostring(struct ctl_table *table, int write,