[Devel] [PATCH rh7] fanotify: Use ve-capable instead of plain capable test

[Cyrill Gorcunov]

To create fanotify objects one have to be sysadmin of a container.
The main potential problem is unlimited number of marks and queue,
but since it uses kmem cgroup to obtain objects this should be
controllable via memory cgroup settings.

https://jira.sw.ru/browse/PSBM-41409

Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 fs/notify/fanotify/fanotify_user.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Index: linux-pcs7.git/fs/notify/fanotify/fanotify_user.c
===================================================================
--- linux-pcs7.git.orig/fs/notify/fanotify/fanotify_user.c
+++ linux-pcs7.git/fs/notify/fanotify/fanotify_user.c
@@ -678,7 +678,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned
 	pr_debug("%s: flags=%d event_f_flags=%d\n",
 		__func__, flags, event_f_flags);
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!ve_capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	if (flags & ~FAN_ALL_INIT_FLAGS)
@@ -730,7 +730,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned
 
 	if (flags & FAN_UNLIMITED_QUEUE) {
 		fd = -EPERM;
-		if (!capable(CAP_SYS_ADMIN))
+		if (!ve_capable(CAP_SYS_ADMIN))
 			goto out_destroy_group;
 		group->max_events = UINT_MAX;
 	} else {
@@ -739,7 +739,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned
 
 	if (flags & FAN_UNLIMITED_MARKS) {
 		fd = -EPERM;
-		if (!capable(CAP_SYS_ADMIN))
+		if (!ve_capable(CAP_SYS_ADMIN))
 			goto out_destroy_group;
 		group->fanotify_data.max_marks = UINT_MAX;
 	} else {