[Devel] [PATCH RHEL7 COMMIT] ve/fanotify: Use ve-capable instead of plain capable test
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Dec 2 07:15:38 PST 2015
The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.9.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rebase
------>
commit dab4ee299737a29e2db6a9e25df6db3fb59ce0b3
Author: Cyrill Gorcunov <gorcunov at odin.com>
Date: Wed Dec 2 19:15:38 2015 +0400
ve/fanotify: Use ve-capable instead of plain capable test
To create fanotify objects one have to be sysadmin of a container.
The main potential problem is unlimited number of marks and queue,
but since it uses kmem cgroup to obtain objects this should be
controllable via memory cgroup settings.
https://jira.sw.ru/browse/PSBM-41409
Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavydov at virtuozzo.com>
khorenko@: note: up to now we don't know apps which use fanotifies in real
life, only a specific CRIU unit test.
---
fs/notify/fanotify/fanotify_user.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index f1680cd..9ac303f 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -678,7 +678,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
pr_debug("%s: flags=%d event_f_flags=%d\n",
__func__, flags, event_f_flags);
- if (!capable(CAP_SYS_ADMIN))
+ if (!ve_capable(CAP_SYS_ADMIN))
return -EPERM;
if (flags & ~FAN_ALL_INIT_FLAGS)
@@ -730,7 +730,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
if (flags & FAN_UNLIMITED_QUEUE) {
fd = -EPERM;
- if (!capable(CAP_SYS_ADMIN))
+ if (!ve_capable(CAP_SYS_ADMIN))
goto out_destroy_group;
group->max_events = UINT_MAX;
} else {
@@ -739,7 +739,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
if (flags & FAN_UNLIMITED_MARKS) {
fd = -EPERM;
- if (!capable(CAP_SYS_ADMIN))
+ if (!ve_capable(CAP_SYS_ADMIN))
goto out_destroy_group;
group->fanotify_data.max_marks = UINT_MAX;
} else {
More information about the Devel
mailing list