Index: linux-2.6.17/include/linux/vserver/context.h =================================================================== --- linux-2.6.17.orig/include/linux/vserver/context.h +++ linux-2.6.17/include/linux/vserver/context.h @@ -42,6 +42,7 @@ #define VXF_STATE_SETUP (1ULL<<32) #define VXF_STATE_INIT (1ULL<<33) +#define VXF_STATE_ADMIN (1ULL<<34) #define VXF_SC_HELPER (1ULL<<36) #define VXF_REBOOT_KILL (1ULL<<37) @@ -52,9 +53,9 @@ #define VXF_IGNEG_NICE (1ULL<<52) -#define VXF_ONE_TIME (0x0003ULL<<32) +#define VXF_ONE_TIME (0x0007ULL<<32) -#define VXF_INIT_SET (VXF_STATE_SETUP|VXF_STATE_INIT) +#define VXF_INIT_SET (VXF_STATE_SETUP|VXF_STATE_INIT|VXF_STATE_ADMIN) /* context migration */ Index: linux-2.6.17/include/linux/vserver/network.h =================================================================== --- linux-2.6.17.orig/include/linux/vserver/network.h +++ linux-2.6.17/include/linux/vserver/network.h @@ -14,13 +14,14 @@ /* network flags */ #define NXF_STATE_SETUP (1ULL<<32) +#define NXF_STATE_ADMIN (1ULL<<34) #define NXF_SC_HELPER (1ULL<<36) #define NXF_PERSISTENT (1ULL<<38) -#define NXF_ONE_TIME (0x0001ULL<<32) +#define NXF_ONE_TIME (0x0005ULL<<32) -#define NXF_INIT_SET (0) +#define NXF_INIT_SET (NXF_STATE_ADMIN) /* address types */ Index: linux-2.6.17/kernel/vserver/context.c =================================================================== --- linux-2.6.17.orig/kernel/vserver/context.c +++ linux-2.6.17/kernel/vserver/context.c @@ -18,6 +18,7 @@ * V0.11 and back to locking again * V0.12 referenced context store * V0.13 separate per cpu data + * V0.14 added lock and admin flags * */ @@ -693,6 +694,9 @@ int vx_set_reaper(struct vx_info *vxi, s if (!vxi) return -EINVAL; + if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0)) + return -EACCES; + vxdprintk(VXD_CBIT(xid, 6), "vx_set_reaper(%p[#%d],%p[#%d,%d])", vxi, vxi->vx_id, p, p->xid, p->pid); @@ -713,6 +717,9 @@ int vx_set_init(struct vx_info *vxi, str if (!vxi) return -EINVAL; + if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0)) + return -EACCES; + vxdprintk(VXD_CBIT(xid, 6), "vx_set_init(%p[#%d],%p[#%d,%d,%d])", vxi, vxi->vx_id, p, p->xid, p->pid, p->tgid); @@ -913,6 +920,10 @@ int vc_set_cflags(uint32_t id, void __us if (!vxi) return -ESRCH; + ret = -EACCES; + if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0)) + goto out_put; + /* special STATE flag handling */ mask = vx_mask_mask(vc_data.mask, vxi->vx_flags, VXF_ONE_TIME); trigger = (mask & vxi->vx_flags) ^ (mask & vc_data.flagword); @@ -986,16 +997,22 @@ static int do_set_caps(xid_t xid, uint64 uint64_t ccaps, uint64_t cmask) { struct vx_info *vxi; + int ret; vxi = lookup_vx_info(xid); if (!vxi) return -ESRCH; + ret = -EACCES; + if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0)) + goto out_put; + vxi->vx_bcaps = vx_mask_flags(vxi->vx_bcaps, bcaps, bmask); vxi->vx_ccaps = vx_mask_flags(vxi->vx_ccaps, ccaps, cmask); - + ret = 0; +out_put: put_vx_info(vxi); - return 0; + return ret; } int vc_set_ccaps_v0(uint32_t id, void __user *data) Index: linux-2.6.17/kernel/vserver/namespace.c =================================================================== --- linux-2.6.17.orig/kernel/vserver/namespace.c +++ linux-2.6.17/kernel/vserver/namespace.c @@ -7,6 +7,7 @@ * * V0.01 broken out from context.c 0.07 * V0.02 added task locking for namespace + * V0.03 added lock and admin flags * */ Index: linux-2.6.17/kernel/vserver/network.c =================================================================== --- linux-2.6.17.orig/kernel/vserver/network.c +++ linux-2.6.17/kernel/vserver/network.c @@ -10,6 +10,7 @@ * V0.03 added equiv nx commands * V0.04 switch to RCU based hash * V0.05 and back to locking again + * V0.06 added lock and admin flags * */ @@ -716,6 +717,7 @@ int vc_set_nflags(uint32_t id, void __us struct nx_info *nxi; struct vcmd_net_flags_v0 vc_data; uint64_t mask, trigger; + int ret; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -724,6 +726,10 @@ int vc_set_nflags(uint32_t id, void __us if (!nxi) return -ESRCH; + ret = -EACCES; + if (!nx_info_flags(nxi, NXF_STATE_ADMIN, 0)) + goto out_put; + /* special STATE flag handling */ mask = vx_mask_mask(vc_data.mask, nxi->nx_flags, NXF_ONE_TIME); trigger = (mask & nxi->nx_flags) ^ (mask & vc_data.flagword); @@ -732,9 +738,10 @@ int vc_set_nflags(uint32_t id, void __us vc_data.flagword, mask); if (trigger & NXF_PERSISTENT) nx_set_persistent(nxi); - + ret = 0; +out_put: put_nx_info(nxi); - return 0; + return ret; } int vc_get_ncaps(uint32_t id, void __user *data) @@ -759,6 +766,7 @@ int vc_set_ncaps(uint32_t id, void __use { struct nx_info *nxi; struct vcmd_net_caps_v0 vc_data; + int ret; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -767,10 +775,16 @@ int vc_set_ncaps(uint32_t id, void __use if (!nxi) return -ESRCH; + ret = -EACCES; + if (!nx_info_flags(nxi, NXF_STATE_ADMIN, 0)) + goto out_put; + nxi->nx_ncaps = vx_mask_flags(nxi->nx_ncaps, vc_data.ncaps, vc_data.cmask); + ret = 0; +out_put: put_nx_info(nxi); - return 0; + return ret; } Index: linux-2.6.17/kernel/vserver/signal.c =================================================================== --- linux-2.6.17.orig/kernel/vserver/signal.c +++ linux-2.6.17/kernel/vserver/signal.c @@ -3,7 +3,7 @@ * * Virtual Server: Signal Support * - * Copyright (C) 2003-2005 Herbert Pötzl + * Copyright (C) 2003-2006 Herbert Pötzl * * V0.01 broken out from vcontext V0.05 * @@ -71,9 +71,9 @@ int vx_info_kill(struct vx_info *vxi, in int vc_ctx_kill(uint32_t id, void __user *data) { - int retval; struct vcmd_ctx_kill_v0 vc_data; struct vx_info *vxi; + int ret; if (copy_from_user (&vc_data, data, sizeof(vc_data))) return -EFAULT; @@ -82,9 +82,14 @@ int vc_ctx_kill(uint32_t id, void __user if (!vxi) return -ESRCH; - retval = vx_info_kill(vxi, vc_data.pid, vc_data.sig); + ret = -EACCES; + if (!vx_info_flags(vxi, VXF_STATE_ADMIN, 0) && (vc_data.pid != 1)) + goto out_put; + + ret = vx_info_kill(vxi, vc_data.pid, vc_data.sig); +out_put: put_vx_info(vxi); - return retval; + return ret; }