Reimplement RLIMIT_NPROC on top of ucounts
The rlimit counter is tied to uid in the user_namespace. This allows rlimit values to be specified in userns even if they are already globally exceeded by the user. However, the value of the previous user_namespaces cannot be exceeded. To illustrate the impact of rlimits, let's say there is a program that does not fork. Some service-A wants to run this program as user X in multiple containers. Since the program never fork the service wants to set RLIMIT_NPROC=1. service-A \- program (uid=1000, container1, rlimit_nproc=1) \- program (uid=1000, container2, rlimit_nproc=1) The service-A sets RLIMIT_NPROC=1 and runs the program in container1. When the service-A tries to run a program with RLIMIT_NPROC=1 in container2 it fails since user X already has one running process. We cannot use existing inc_ucounts / dec_ucounts because they do not allow us to exceed the maximum for the counter. Some rlimits can be overlimited by root or if the user has the appropriate capability. Changelog v11: * Change inc_rlimit_ucounts() which now returns top value of ucounts. * Drop inc_rlimit_ucounts_and_test() because the return code of inc_rlimit_ucounts() can be checked. Signed-off-by: Alexey Gladkov <legion@kernel.org> Link: https://lkml.kernel.org/r/c5286a8aa16d2d698c222f7532f3d735c82bc6bc.1619094428.git.legion@kernel.org Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
parent
b6c33652
-
mentioned in commit 5ddf994f
-
mentioned in commit 629715ad
-
mentioned in commit f7f7e4db
-
mentioned in commit a55d0729
-
mentioned in commit 8f2f9c4d
-
mentioned in commit 0cbae9e2
-
mentioned in commit c923a8e7
-
mentioned in commit d464492e
-
mentioned in commit 2d2d92cf
-
mentioned in commit efc853d8
-
mentioned in commit 2b2be95b
-
mentioned in commit 5f68f27d
-
mentioned in commit 0c6c4d6d
-
mentioned in commit ce6c0486
-
mentioned in commit 4ac77eb2
-
mentioned in commit 0ac983f5
Please register or sign in to comment