1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
Index: linux-2.6.17/include/linux/vserver/context.h
===================================================================
--- linux-2.6.17.orig/include/linux/vserver/context.h
+++ linux-2.6.17/include/linux/vserver/context.h
@@ -42,6 +42,7 @@
#define VXF_STATE_SETUP (1ULL<<32)
#define VXF_STATE_INIT (1ULL<<33)
+#define VXF_STATE_ADMIN (1ULL<<34)
#define VXF_SC_HELPER (1ULL<<36)
#define VXF_REBOOT_KILL (1ULL<<37)
@@ -52,9 +53,9 @@
#define VXF_IGNEG_NICE (1ULL<<52)
-#define VXF_ONE_TIME (0x0003ULL<<32)
+#define VXF_ONE_TIME (0x0007ULL<<32)
-#define VXF_INIT_SET (VXF_STATE_SETUP|VXF_STATE_INIT)
+#define VXF_INIT_SET (VXF_STATE_SETUP|VXF_STATE_INIT|VXF_STATE_ADMIN)
/* context migration */
Index: linux-2.6.17/include/linux/vserver/network.h
===================================================================
--- linux-2.6.17.orig/include/linux/vserver/network.h
+++ linux-2.6.17/include/linux/vserver/network.h
@@ -16,13 +16,14 @@
#define NXF_INFO_LOCK 0x00000001
#define NXF_STATE_SETUP (1ULL<<32)
+#define NXF_STATE_ADMIN (1ULL<<34)
#define NXF_SC_HELPER (1ULL<<36)
#define NXF_PERSISTENT (1ULL<<38)
-#define NXF_ONE_TIME (0x0001ULL<<32)
+#define NXF_ONE_TIME (0x0005ULL<<32)
-#define NXF_INIT_SET (0)
+#define NXF_INIT_SET (NXF_STATE_ADMIN)
/* address types */
Index: linux-2.6.17/kernel/vserver/signal.c
===================================================================
--- linux-2.6.17.orig/kernel/vserver/signal.c
+++ linux-2.6.17/kernel/vserver/signal.c
@@ -77,6 +77,10 @@ int vc_ctx_kill(struct vx_info *vxi, voi
if (copy_from_user (&vc_data, data, sizeof(vc_data)))
return -EFAULT;
+ /* special check to allow guest shutdown */
+ if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0) && (vc_data.pid != 1))
+ return -EACCES;
+
return vx_info_kill(vxi, vc_data.pid, vc_data.sig);
}
Index: linux-2.6.17/kernel/vserver/switch.c
===================================================================
--- linux-2.6.17.orig/kernel/vserver/switch.c
+++ linux-2.6.17/kernel/vserver/switch.c
@@ -413,17 +413,34 @@ long do_vserver(uint32_t cmd, uint32_t i
vxi = lookup_vx_info(id);
if (!vxi)
goto out;
+
+ if ((flags & VCF_ADMIN) &&
+ /* special case kill for shutdown */
+ (cmd != VCMD_ctx_kill) &&
+ /* can context be administrated? */
+ !vx_info_flags(vxi, VXF_STATE_ADMIN, 0)) {
+ ret = -EACCES;
+ goto out_vxi;
+ }
}
state = 7;
if (args & VCA_NXI) {
nxi = lookup_nx_info(id);
if (!nxi)
goto out_vxi;
+
+ if ((flags & VCF_ADMIN) &&
+ /* can context be administrated? */
+ !nx_info_flags(nxi, NXF_STATE_ADMIN, 0)) {
+ ret = -EACCES;
+ goto out_nxi;
+ }
}
state = 8;
ret = do_vcmd(cmd, id, vxi, nxi, data, compat);
+out_nxi:
if (args & VCA_NXI)
put_nx_info(nxi);
out_vxi:
|
GitWeb