[Devel] [PATCH RH9 22/33] ve/fanotify: Use ve-capable instead of plain capable test

[Andrey Zhadchenko]

From: Cyrill Gorcunov <gorcunov at odin.com>

To create fanotify objects one have to be sysadmin of a container.
The main potential problem is unlimited number of marks and queue,
but since it uses kmem cgroup to obtain objects this should be
controllable via memory cgroup settings.

https://jira.sw.ru/browse/PSBM-41409

Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavydov at virtuozzo.com>

khorenko@: note: up to now we don't know apps which use fanotifies in real
life, only a specific CRIU unit test.

(cherry picked from vz8 commit e2e1ba373314f19cd2368906e105e934fceec12e)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/notify/fanotify/fanotify_user.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 28b67cb..32664fb 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1057,7 +1057,7 @@ static struct hlist_head *fanotify_alloc_merge_hash(void)
 	pr_debug("%s: flags=%x event_f_flags=%x\n",
 		 __func__, flags, event_f_flags);
 
-	if (!capable(CAP_SYS_ADMIN)) {
+	if (!ve_capable(CAP_SYS_ADMIN)) {
 		/*
 		 * An unprivileged user can setup an fanotify group with
 		 * limited functionality - an unprivileged group is limited to
@@ -1162,7 +1162,7 @@ static struct hlist_head *fanotify_alloc_merge_hash(void)
 
 	if (flags & FAN_UNLIMITED_QUEUE) {
 		fd = -EPERM;
-		if (!capable(CAP_SYS_ADMIN))
+		if (!ve_capable(CAP_SYS_ADMIN))
 			goto out_destroy_group;
 		group->max_events = UINT_MAX;
 	} else {
@@ -1171,7 +1171,7 @@ static struct hlist_head *fanotify_alloc_merge_hash(void)
 
 	if (flags & FAN_UNLIMITED_MARKS) {
 		fd = -EPERM;
-		if (!capable(CAP_SYS_ADMIN))
+		if (!ve_capable(CAP_SYS_ADMIN))
 			goto out_destroy_group;
 	}
 
-- 
1.8.3.1