* Re: [PATCH] mm: overcommit updates
[not found] <200501040611.j046BHoq005158@hera.kernel.org>
@ 2005-01-04 12:36 ` Nikita Danilov
2005-01-04 17:26 ` [PATCH] remove duplicated patch fragment Andries Brouwer
2005-01-04 22:03 ` [PATCH] mm: overcommit updates Alan Cox
0 siblings, 2 replies; 6+ messages in thread
From: Nikita Danilov @ 2005-01-04 12:36 UTC (permalink / raw)
To: Linux Kernel Mailing List; +Cc: Andrew Morton, Andries.Brouwer
Linux Kernel Mailing List <linux-kernel@vger.kernel.org> writes:
> ChangeSet 1.2136.3.17, 2005/01/03 20:15:37-08:00, Andries.Brouwer@cwi.nl
>
[...]
>
> + /* Leave the last 3% for root */
> + if (current->euid)
> + allowed -= allowed / 32;
This results in
/*
* Leave the last 3% for root
*/
if (!capable(CAP_SYS_ADMIN))
allowed -= allowed / 32;
allowed += total_swap_pages;
/* Leave the last 3% for root */
if (current->euid)
allowed -= allowed / 32;
in security/commoncaps.c (and similarly in security/dummy.c). Why
"super-user" reservation is handled twice, and with that antiquated
current->euid check instead of capabilities? Broken merge?
On another account, shouldn't capable(CAP_SYS_ADMIN) checks in
cap_vm_enough_memory() be replaced with capable(CAP_SYS_RESOURCE):
(CAP_SYS_RESOURCE is used by file systems to control reserved disk
blocks)?
Nikita.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] remove duplicated patch fragment
2005-01-04 12:36 ` [PATCH] mm: overcommit updates Nikita Danilov
@ 2005-01-04 17:26 ` Andries Brouwer
2005-01-04 22:21 ` Chris Wright
2005-01-04 22:35 ` Chris Wright
2005-01-04 22:03 ` [PATCH] mm: overcommit updates Alan Cox
1 sibling, 2 replies; 6+ messages in thread
From: Andries Brouwer @ 2005-01-04 17:26 UTC (permalink / raw)
To: Nikita Danilov, torvalds
Cc: Linux Kernel Mailing List, Andrew Morton, Andries.Brouwer
On Tue, Jan 04, 2005 at 03:36:11PM +0300, Nikita Danilov wrote:
> /*
> * Leave the last 3% for root
> */
> if (!capable(CAP_SYS_ADMIN))
> allowed -= allowed / 32;
>
> /* Leave the last 3% for root */
> if (current->euid)
> allowed -= allowed / 32;
>
> in security/commoncaps.c (and similarly in security/dummy.c). Why
> "super-user" reservation is handled twice, and with that antiquated
> current->euid check instead of capabilities? Broken merge?
Yes - sorry. The first of these two semi-identical fragments
is from Alan and appeared in patch-2.6.9, two weeks after
the patch under discussion was made. So, the second half
can be dropped. Below a patch.
> On another account, shouldn't capable(CAP_SYS_ADMIN) checks in
> cap_vm_enough_memory() be replaced with capable(CAP_SYS_RESOURCE):
> (CAP_SYS_RESOURCE is used by file systems to control reserved disk
> blocks)?
The use of current->euid comes from the use of current->euid in dummy.c
a few lines higher up in the same routine.
The use of CAP_SYS_ADMIN comes from the use of CAP_SYS_ADMIN in
commoncap.c a few lines higher up in the same routine.
I have no strong opinion about what is best.
Andries
diff -uprN -X /linux/dontdiff a/security/commoncap.c b/security/commoncap.c
--- a/security/commoncap.c 2005-01-04 18:33:40.000000000 +0100
+++ b/security/commoncap.c 2005-01-04 18:35:49.000000000 +0100
@@ -386,10 +386,6 @@ int cap_vm_enough_memory(long pages)
allowed -= allowed / 32;
allowed += total_swap_pages;
- /* Leave the last 3% for root */
- if (current->euid)
- allowed -= allowed / 32;
-
/* Don't let a single process grow too big:
leave 3% of the size of this process for other processes */
allowed -= current->mm->total_vm / 32;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] mm: overcommit updates
2005-01-04 12:36 ` [PATCH] mm: overcommit updates Nikita Danilov
2005-01-04 17:26 ` [PATCH] remove duplicated patch fragment Andries Brouwer
@ 2005-01-04 22:03 ` Alan Cox
2005-01-04 23:38 ` Andries Brouwer
1 sibling, 1 reply; 6+ messages in thread
From: Alan Cox @ 2005-01-04 22:03 UTC (permalink / raw)
To: Nikita Danilov; +Cc: Linux Kernel Mailing List, Andrew Morton, Andries.Brouwer
Looks like a broken merge to me. When the 3% trick was proposed I
rewrote it as capabilities and submitted it to Linus, now it looks like
some months later the original one has been regurgitated out of -mm
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] remove duplicated patch fragment
2005-01-04 17:26 ` [PATCH] remove duplicated patch fragment Andries Brouwer
@ 2005-01-04 22:21 ` Chris Wright
2005-01-04 22:35 ` Chris Wright
1 sibling, 0 replies; 6+ messages in thread
From: Chris Wright @ 2005-01-04 22:21 UTC (permalink / raw)
To: Andries Brouwer
Cc: Nikita Danilov, torvalds, Linux Kernel Mailing List, Andrew Morton
* Andries Brouwer (Andries.Brouwer@cwi.nl) wrote:
> Yes - sorry. The first of these two semi-identical fragments
> is from Alan and appeared in patch-2.6.9, two weeks after
> the patch under discussion was made. So, the second half
> can be dropped. Below a patch.
Yes, can this please be applied? ;-)
Acked-by: Chris Wright <chrisw@osdl.org>
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] remove duplicated patch fragment
2005-01-04 17:26 ` [PATCH] remove duplicated patch fragment Andries Brouwer
2005-01-04 22:21 ` Chris Wright
@ 2005-01-04 22:35 ` Chris Wright
1 sibling, 0 replies; 6+ messages in thread
From: Chris Wright @ 2005-01-04 22:35 UTC (permalink / raw)
To: Andries Brouwer
Cc: Nikita Danilov, torvalds, Linux Kernel Mailing List, Andrew Morton
* Andries Brouwer (Andries.Brouwer@cwi.nl) wrote:
> On Tue, Jan 04, 2005 at 03:36:11PM +0300, Nikita Danilov wrote:
> > On another account, shouldn't capable(CAP_SYS_ADMIN) checks in
> > cap_vm_enough_memory() be replaced with capable(CAP_SYS_RESOURCE):
> > (CAP_SYS_RESOURCE is used by file systems to control reserved disk
> > blocks)?
>
> The use of current->euid comes from the use of current->euid in dummy.c
> a few lines higher up in the same routine.
> The use of CAP_SYS_ADMIN comes from the use of CAP_SYS_ADMIN in
> commoncap.c a few lines higher up in the same routine.
>
> I have no strong opinion about what is best.
Unfortunately, this what committed on 2003/05/25 (IOW, it's been in
there since 2.5.70). So, we can't really change that w/out possibly
breaking things.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] mm: overcommit updates
2005-01-04 22:03 ` [PATCH] mm: overcommit updates Alan Cox
@ 2005-01-04 23:38 ` Andries Brouwer
0 siblings, 0 replies; 6+ messages in thread
From: Andries Brouwer @ 2005-01-04 23:38 UTC (permalink / raw)
To: Alan Cox
Cc: Nikita Danilov, Linux Kernel Mailing List, Andrew Morton,
Andries.Brouwer
On Tue, Jan 04, 2005 at 10:03:56PM +0000, Alan Cox wrote:
> Looks like a broken merge to me. When the 3% trick was proposed I
> rewrote it as capabilities and submitted it to Linus, now it looks like
> some months later the original one has been regurgitated out of -mm
No. The two semi-identical fragments have independent origins.
Andries
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-01-04 23:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <200501040611.j046BHoq005158@hera.kernel.org>
2005-01-04 12:36 ` [PATCH] mm: overcommit updates Nikita Danilov
2005-01-04 17:26 ` [PATCH] remove duplicated patch fragment Andries Brouwer
2005-01-04 22:21 ` Chris Wright
2005-01-04 22:35 ` Chris Wright
2005-01-04 22:03 ` [PATCH] mm: overcommit updates Alan Cox
2005-01-04 23:38 ` Andries Brouwer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).