Global root is allowed to exceed memlock limit, so this should be allowed for container's root too. capable() works only for global root, so use ve_capable() instead.
Signed-off-by: Andrey Ryabinin <aryabi...@virtuozzo.com> --- mm/mlock.c | 8 ++++---- mm/mmap.c | 6 +++--- mm/mremap.c | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/mm/mlock.c b/mm/mlock.c index 8dc34a8..9da7d66 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -25,7 +25,7 @@ int can_do_mlock(void) { - if (capable(CAP_IPC_LOCK)) + if (ve_capable(CAP_IPC_LOCK)) return 1; if (rlimit(RLIMIT_MEMLOCK) != 0) return 1; @@ -484,7 +484,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len) lock_limit >>= PAGE_SHIFT; /* check against resource limits */ - if ((locked <= lock_limit) || capable(CAP_IPC_LOCK)) + if ((locked <= lock_limit) || ve_capable(CAP_IPC_LOCK)) error = do_mlock(start, len, 1); up_write(¤t->mm->mmap_sem); if (!error) @@ -551,7 +551,7 @@ SYSCALL_DEFINE1(mlockall, int, flags) ret = -ENOMEM; if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) || - capable(CAP_IPC_LOCK)) + ve_capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); up_write(¤t->mm->mmap_sem); if (!ret && (flags & MCL_CURRENT)) @@ -588,7 +588,7 @@ int user_shm_lock(size_t size, struct user_struct *user) lock_limit >>= PAGE_SHIFT; spin_lock(&shmlock_user_lock); if (!allowed && - locked + user->locked_shm > lock_limit && !capable(CAP_IPC_LOCK)) + locked + user->locked_shm > lock_limit && !ve_capable(CAP_IPC_LOCK)) goto out; get_uid(user); user->locked_shm += locked; diff --git a/mm/mmap.c b/mm/mmap.c index 8796ed6..7743313 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1280,7 +1280,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; - if (locked > lock_limit && !capable(CAP_IPC_LOCK)) + if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK)) return -EAGAIN; } @@ -2135,7 +2135,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; - if (locked > limit && !capable(CAP_IPC_LOCK)) + if (locked > limit && !ve_capable(CAP_IPC_LOCK)) return -ENOMEM; } @@ -2702,7 +2702,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len, int soft) locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; - if (locked > lock_limit && !capable(CAP_IPC_LOCK)) + if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK)) return -EAGAIN; } diff --git a/mm/mremap.c b/mm/mremap.c index 0b40af6..7a7bbfc 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -378,7 +378,7 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, locked = mm->locked_vm << PAGE_SHIFT; lock_limit = rlimit(RLIMIT_MEMLOCK); locked += new_len - old_len; - if (locked > lock_limit && !capable(CAP_IPC_LOCK)) + if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK)) goto Eagain; } -- 2.4.10 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel