Thanks for your both replies. We will waiting for the patchset, and
modify as per Richard's suggestion for temporary hack.
On 2015/4/17 3:31, Richard Weinberger wrote:
> On Thu, Apr 16, 2015 at 5:08 PM, Azat Khuzhin <a3at.m...@gmail.com> wrote:
>> On Thu, Apr 16, 2015 at 07:43:34PM +0800, Wuqixuan wrote:
>>> The process, supposed in one container, can't flush the metadata
>>> and data of the all host's partitions without CAP_SYS_ADMIN
>>> capability, like sys_mount is doing. The checking will prevent some
>>> vicious programs impacting IO sequnces of those partitions,
>>> particularly, the ones which can't be accessed in the container.
>>>
>>> Signed-off-by: Last Wu <wuqix...@huawei.com>
>>> ---
>>> fs/sync.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/fs/sync.c b/fs/sync.c
>>> index fbc98ee..9f07909 100644
>>> --- a/fs/sync.c
>>> +++ b/fs/sync.c
>>> @@ -103,6 +103,9 @@ SYSCALL_DEFINE0(sync)
>>> {
>>> int nowait = 0, wait = 1;
>>>
>>> + if (!capable(CAP_SYS_ADMIN))
>>> + return -EPERM;
>> So after this patch I can't call sync as a regular user? (even without
>> containers).
>> But nothing in sync(2) says about special permissions for this.
> Yeah, this solution will break userspace.
> A much more generic solution would be to wait for cgroup aware writeback[1].
> As temporary hack you can check whether the calling process is in the
> initial pid namesapce to detect
> a container calling sync(2)...
>
> [1] https://lwn.net/Articles/628631/
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
