[Devel] [PATCH rh7] mm, ve: allow container's root to to ignore mlock limit

Andrey Ryabinin aryabinin at virtuozzo.com
Mon Nov 23 01:51:49 PST 2015 

Global root is allowed to exceed memlock limit, so this should be
allowed for container's root too.
capable() works only for global root, so use ve_capable() instead.

Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
 mm/mlock.c  | 8 ++++----
 mm/mmap.c   | 6 +++---
 mm/mremap.c | 2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/mm/mlock.c b/mm/mlock.c
index 8dc34a8..9da7d66 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -25,7 +25,7 @@
 
 int can_do_mlock(void)
 {
-	if (capable(CAP_IPC_LOCK))
+	if (ve_capable(CAP_IPC_LOCK))
 		return 1;
 	if (rlimit(RLIMIT_MEMLOCK) != 0)
 		return 1;
@@ -484,7 +484,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
 	lock_limit >>= PAGE_SHIFT;
 
 	/* check against resource limits */
-	if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
+	if ((locked <= lock_limit) || ve_capable(CAP_IPC_LOCK))
 		error = do_mlock(start, len, 1);
 	up_write(&current->mm->mmap_sem);
 	if (!error)
@@ -551,7 +551,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
 
 	ret = -ENOMEM;
 	if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
-	    capable(CAP_IPC_LOCK))
+	    ve_capable(CAP_IPC_LOCK))
 		ret = do_mlockall(flags);
 	up_write(&current->mm->mmap_sem);
 	if (!ret && (flags & MCL_CURRENT))
@@ -588,7 +588,7 @@ int user_shm_lock(size_t size, struct user_struct *user)
 	lock_limit >>= PAGE_SHIFT;
 	spin_lock(&shmlock_user_lock);
 	if (!allowed &&
-	    locked + user->locked_shm > lock_limit && !capable(CAP_IPC_LOCK))
+	    locked + user->locked_shm > lock_limit && !ve_capable(CAP_IPC_LOCK))
 		goto out;
 	get_uid(user);
 	user->locked_shm += locked;
diff --git a/mm/mmap.c b/mm/mmap.c
index 8796ed6..7743313 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1280,7 +1280,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
 		locked += mm->locked_vm;
 		lock_limit = rlimit(RLIMIT_MEMLOCK);
 		lock_limit >>= PAGE_SHIFT;
-		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+		if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK))
 			return -EAGAIN;
 	}
 
@@ -2135,7 +2135,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
 		locked = mm->locked_vm + grow;
 		limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
 		limit >>= PAGE_SHIFT;
-		if (locked > limit && !capable(CAP_IPC_LOCK))
+		if (locked > limit && !ve_capable(CAP_IPC_LOCK))
 			return -ENOMEM;
 	}
 
@@ -2702,7 +2702,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len, int soft)
 		locked += mm->locked_vm;
 		lock_limit = rlimit(RLIMIT_MEMLOCK);
 		lock_limit >>= PAGE_SHIFT;
-		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+		if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK))
 			return -EAGAIN;
 	}
 
diff --git a/mm/mremap.c b/mm/mremap.c
index 0b40af6..7a7bbfc 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -378,7 +378,7 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
 		locked = mm->locked_vm << PAGE_SHIFT;
 		lock_limit = rlimit(RLIMIT_MEMLOCK);
 		locked += new_len - old_len;
-		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+		if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK))
 			goto Eagain;
 	}
 
-- 
2.4.10

More information about the Devel mailing list