Global root is allowed to exceed memlock limit, so this should be
allowed for container's root too.
capable() works only for global root, so use ve_capable() instead.
Signed-off-by: Andrey Ryabinin <aryabi...@virtuozzo.com>
---
mm/mlock.c | 8 ++++----
mm/mmap.c | 6 +++---
mm/mremap.c | 2 +-
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/mm/mlock.c b/mm/mlock.c
index 8dc34a8..9da7d66 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -25,7 +25,7 @@
int can_do_mlock(void)
{
- if (capable(CAP_IPC_LOCK))
+ if (ve_capable(CAP_IPC_LOCK))
return 1;
if (rlimit(RLIMIT_MEMLOCK) != 0)
return 1;
@@ -484,7 +484,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
lock_limit >>= PAGE_SHIFT;
/* check against resource limits */
- if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
+ if ((locked <= lock_limit) || ve_capable(CAP_IPC_LOCK))
error = do_mlock(start, len, 1);
up_write(¤t->mm->mmap_sem);
if (!error)
@@ -551,7 +551,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
ret = -ENOMEM;
if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
- capable(CAP_IPC_LOCK))
+ ve_capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
up_write(¤t->mm->mmap_sem);
if (!ret && (flags & MCL_CURRENT))
@@ -588,7 +588,7 @@ int user_shm_lock(size_t size, struct user_struct *user)
lock_limit >>= PAGE_SHIFT;
spin_lock(&shmlock_user_lock);
if (!allowed &&
- locked + user->locked_shm > lock_limit && !capable(CAP_IPC_LOCK))
+ locked + user->locked_shm > lock_limit && !ve_capable(CAP_IPC_LOCK))
goto out;
get_uid(user);
user->locked_shm += locked;
diff --git a/mm/mmap.c b/mm/mmap.c
index 8796ed6..7743313 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1280,7 +1280,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned
long addr,
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
- if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+ if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK))
return -EAGAIN;
}
@@ -2135,7 +2135,7 @@ static int acct_stack_growth(struct vm_area_struct *vma,
unsigned long size, uns
locked = mm->locked_vm + grow;
limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
limit >>= PAGE_SHIFT;
- if (locked > limit && !capable(CAP_IPC_LOCK))
+ if (locked > limit && !ve_capable(CAP_IPC_LOCK))
return -ENOMEM;
}
@@ -2702,7 +2702,7 @@ static unsigned long do_brk(unsigned long addr, unsigned
long len, int soft)
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
- if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+ if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK))
return -EAGAIN;
}
diff --git a/mm/mremap.c b/mm/mremap.c
index 0b40af6..7a7bbfc 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -378,7 +378,7 @@ static struct vm_area_struct *vma_to_resize(unsigned long
addr,
locked = mm->locked_vm << PAGE_SHIFT;
lock_limit = rlimit(RLIMIT_MEMLOCK);
locked += new_len - old_len;
- if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+ if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK))
goto Eagain;
}
--
2.4.10
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
