If net_alloc fails we leak netns_avail_nr counter when it should be
incremented back.
Fixes commit a408265ce710 ("ve/netns: limit number of network namespaces
per container")
Signed-off-by: Pavel Tikhomirov
---
net/core/net_namespace.c | 1 +
1 file changed, 1
"!ve_capable(CAP_NET_ADMIN)" does not actually cover some cases which
"!ns_capable(net->user_ns, CAP_NET_ADMIN)" covered, because if net
namespace is from host the latter gives us EPERM if we are from CT, but
the former will allow access for CT root.
The change is fine as:
>From host's security
The commit is pushed to "branch-rh7-3.10.0-693.11.6.vz7.42.x-ovz" and will
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.11.6.vz7.42.1
-->
commit f18e96e8cabd5cdab762f7db9b5521294e5a96f3
Author: Konstantin Khorenko
Date: Tue Jan 16
On Fri, Jan 12, 2018 at 06:45:58PM +0300, Kirill Tkhai wrote:
> Hi,
>
> this patchset allows to avoid memory overuse introduced
> by service fds on criu restore. The solution is simple:
> smartly check for closed fd number, and shrink fdtable
> if this could be made. The checks are happen in