[Devel] [PATCH rh7] fanotify: Use ve-capable instead of plain capable test
Vladimir Davydov
vdavydov at virtuozzo.com
Fri Nov 27 05:47:35 PST 2015
On Wed, Nov 25, 2015 at 06:00:00PM +0300, Cyrill Gorcunov wrote:
> To create fanotify objects one have to be sysadmin of a container.
> The main potential problem is unlimited number of marks and queue,
> but since it uses kmem cgroup to obtain objects this should be
> controllable via memory cgroup settings.
There are lots of kernel objects having the same potential problem that
are not restricted to CAP_SYS_ADMIN though. So I don't think this is the
real cause why access to fanotify was restricted. Have you found any
other explanation of using CAP_SYS_ADMIN there? In commit message or man
pages, perhaps.
Next, do we really want to enable this feature inside containers? We
don't have it in PCS6 and nobody seems to care.
More information about the Devel
mailing list