From: Cyrill Gorcunov <gorcu...@odin.com> To create fanotify objects one have to be sysadmin of a container. The main potential problem is unlimited number of marks and queue, but since it uses kmem cgroup to obtain objects this should be controllable via memory cgroup settings.
https://jira.sw.ru/browse/PSBM-41409 Signed-off-by: Cyrill Gorcunov <gorcu...@virtuozzo.com> Reviewed-by: Vladimir Davydov <vdavy...@virtuozzo.com> khorenko@: note: up to now we don't know apps which use fanotifies in real life, only a specific CRIU unit test. (cherry picked from vz8 commit e2e1ba373314f19cd2368906e105e934fceec12e) Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com> --- fs/notify/fanotify/fanotify_user.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c index 28b67cb..32664fb 100644 --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c @@ -1057,7 +1057,7 @@ static struct hlist_head *fanotify_alloc_merge_hash(void) pr_debug("%s: flags=%x event_f_flags=%x\n", __func__, flags, event_f_flags); - if (!capable(CAP_SYS_ADMIN)) { + if (!ve_capable(CAP_SYS_ADMIN)) { /* * An unprivileged user can setup an fanotify group with * limited functionality - an unprivileged group is limited to @@ -1162,7 +1162,7 @@ static struct hlist_head *fanotify_alloc_merge_hash(void) if (flags & FAN_UNLIMITED_QUEUE) { fd = -EPERM; - if (!capable(CAP_SYS_ADMIN)) + if (!ve_capable(CAP_SYS_ADMIN)) goto out_destroy_group; group->max_events = UINT_MAX; } else { @@ -1171,7 +1171,7 @@ static struct hlist_head *fanotify_alloc_merge_hash(void) if (flags & FAN_UNLIMITED_MARKS) { fd = -EPERM; - if (!capable(CAP_SYS_ADMIN)) + if (!ve_capable(CAP_SYS_ADMIN)) goto out_destroy_group; } -- 1.8.3.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel