Quoting Dan Smith (danms@xxxxxxxxxx): > As pointed out by Serge, we shouldn't call capable() unless we know we'll > need to exercise the ability. > > Signed-off-by: Dan Smith <danms@xxxxxxxxxx> > Cc: serue@xxxxxxxxxx thanks Acked-by: Serge Hallyn <serue@xxxxxxxxxx> > --- > net/unix/checkpoint.c | 11 ++++++++++- > 1 files changed, 10 insertions(+), 1 deletions(-) > > diff --git a/net/unix/checkpoint.c b/net/unix/checkpoint.c > index 23040ce..55dfac1 100644 > --- a/net/unix/checkpoint.c > +++ b/net/unix/checkpoint.c > @@ -278,9 +278,18 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, > unix_sk(sk)->peer->sk_shutdown &= ~SHUTDOWN_MASK; > } > > - /* Make sure there's room in the send buffer */ > + /* Make sure there's room in the send buffer: Worst case, we > + * give them the benefit of the doubt and set the buffer limit > + * to the system default. This should cover the case where > + * the user set the limit low after loading up the buffer. > + * > + * However, if there isn't room in the buffer and the system > + * default won't accommodate them either, then increase the > + * limit as needed, only if they have CAP_NET_ADMIN. > + */ > sndbuf = sk->sk_sndbuf; > if (((sk->sk_sndbuf - atomic_read(&sk->sk_wmem_alloc)) < h->lin_len) && > + (h->lin_len > sysctl_wmem_max) && > capable(CAP_NET_ADMIN)) > sk->sk_sndbuf += h->lin_len; > else > -- > 1.6.2.5 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
