[Devel] [PATCH RHEL COMMIT] ve/fanotify: Use ve-capable instead of plain capable test

Fri, 24 Sep 2021 09:51:10 -0700 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at 
https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 44d5399d9130c3b6f6042172c273a41c4cc1a513
Author: Cyrill Gorcunov <gorcu...@odin.com>
Date:   Fri Sep 24 15:48:46 2021 +0300

    ve/fanotify: Use ve-capable instead of plain capable test
    
    To create fanotify objects one have to be sysadmin of a container.
    The main potential problem is unlimited number of marks and queue,
    but since it uses kmem cgroup to obtain objects this should be
    controllable via memory cgroup settings.
    
    https://jira.sw.ru/browse/PSBM-41409
    
    Signed-off-by: Cyrill Gorcunov <gorcu...@virtuozzo.com>
    
    Reviewed-by: Vladimir Davydov <vdavy...@virtuozzo.com>
    
    khorenko@: note: up to now we don't know apps which use fanotifies in real
    life, only a specific CRIU unit test.
    
    (cherry picked from vz8 commit e2e1ba373314f19cd2368906e105e934fceec12e)
    Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
---
 fs/notify/fanotify/fanotify_user.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/notify/fanotify/fanotify_user.c 
b/fs/notify/fanotify/fanotify_user.c
index 28b67cb9458d..32664fb618a2 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1057,7 +1057,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, 
unsigned int, event_f_flags)
        pr_debug("%s: flags=%x event_f_flags=%x\n",
                 __func__, flags, event_f_flags);
 
-       if (!capable(CAP_SYS_ADMIN)) {
+       if (!ve_capable(CAP_SYS_ADMIN)) {
                /*
                 * An unprivileged user can setup an fanotify group with
                 * limited functionality - an unprivileged group is limited to
@@ -1162,7 +1162,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, 
unsigned int, event_f_flags)
 
        if (flags & FAN_UNLIMITED_QUEUE) {
                fd = -EPERM;
-               if (!capable(CAP_SYS_ADMIN))
+               if (!ve_capable(CAP_SYS_ADMIN))
                        goto out_destroy_group;
                group->max_events = UINT_MAX;
        } else {
@@ -1171,7 +1171,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, 
unsigned int, event_f_flags)
 
        if (flags & FAN_UNLIMITED_MARKS) {
                fd = -EPERM;
-               if (!capable(CAP_SYS_ADMIN))
+               if (!ve_capable(CAP_SYS_ADMIN))
                        goto out_destroy_group;
        }
 
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to