[PATCHv3] inotify: Convert to using per-namespace limits
Eric W. Biederman
ebiederm at xmission.com
Wed Dec 14 22:29:06 UTC 2016
Nikolay Borisov <n.borisov.lkml at gmail.com> writes:
> This patchset converts inotify to using the newly introduced
> per-userns sysctl infrastructure.
> Currently the inotify instances/watches are being accounted in the
> user_struct structure. This means that in setups where multiple
> users in unprivileged containers map to the same underlying
> real user (i.e. pointing to the same user_struct) the inotify limits
> are going to be shared as well, allowing one user(or application) to exhaust
> all others limits.
> Fix this by switching the inotify sysctls to using the
> per-namespace/per-user limits. This will allow the server admin to
> set sensible global limits, which can further be tuned inside every
> individual user namespace. Additionally, in order to preserve the
> sysctl ABI make the existing inotify instances/watches sysctls
> modify the values of the initial user namespace.
> Signed-off-by: Nikolay Borisov <n.borisov.lkml at gmail.com>
> Acked-by: Jan Kara <jack at suse.cz>
> Acked-by: Serge Hallyn <serge at hallyn.com>
> Okay, so here is another version, which should
> hopefully be free of slab corruptions. There was an issue
> where in ucount.c the ifdef was checking the CONFIG_INOTIFY_USER_
> (pay attention to the trailing _, this was clearly a mistake). This
> led to the user_table (and all duplicated from it tables) to not
> contain the inotify-related members. In my local testing I got
> kasan splats even during kernel boot, due to out-of-bound writes.
> Let's see how this version fares.
Thank you I will place this in my for-testing branch shortly and see how
More information about the Containers