Commit 5859a2b1 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'ucount-rlimit-fixes-for-v5.17' of... 

Merge branch 'ucount-rlimit-fixes-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

Pull ucounts fix from Eric Biederman:
 "Etienne Dechamps recently found a regression caused by enforcing
  RLIMIT_NPROC for root where the rlimit was not previously enforced.

  Michal Koutný had previously pointed out the inconsistency in
  enforcing the RLIMIT_NPROC that had been on the root owned process
  after the root user creates a user namespace.

  Which makes the fix for the regression simply removing the
  inconsistency"

* 'ucount-rlimit-fixes-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
  ucounts: Fix systemd LimitNPROC with private users regression
parents 7e3d7613 0ac983f5

kernel/user_namespace.c

+13 −1
Original line number Diff line number Diff line
@@ -58,6 +58,18 @@ static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) 
	cred->user_ns = user_ns;

}



static unsigned long enforced_nproc_rlimit(void)

{

	unsigned long limit = RLIM_INFINITY;



	/* Is RLIMIT_NPROC currently enforced? */

	if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) ||

	    (current_user_ns() != &init_user_ns))

		limit = rlimit(RLIMIT_NPROC);



	return limit;

}



/*

 * Create a new user namespace, deriving the creator from the user in the

 * passed credentials, and replacing that user with the new root user for the
@@ -122,7 +134,7 @@ int create_user_ns(struct cred *new) 
	for (i = 0; i < MAX_PER_NAMESPACE_UCOUNTS; i++) {

		ns->ucount_max[i] = INT_MAX;

	}

	set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC));

	set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_NPROC, enforced_nproc_rlimit());

	set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_MSGQUEUE, rlimit(RLIMIT_MSGQUEUE));

	set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_SIGPENDING, rlimit(RLIMIT_SIGPENDING));

	set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_MEMLOCK, rlimit(RLIMIT_MEMLOCK));