• Nikolay Borisov's avatar
    inotify: Convert to using per-namespace limits · 1cce1eea
    Nikolay Borisov authored
    This patchset converts inotify to using the newly introduced
    per-userns sysctl infrastructure.
    
    Currently the inotify instances/watches are being accounted in the
    user_struct structure. This means that in setups where multiple
    users in unprivileged containers map to the same underlying
    real user (i.e. pointing to the same user_struct) the inotify limits
    are going to be shared as well, allowing one user(or application) to exhaust
    all others limits.
    
    Fix this by switching the inotify sysctls to using the
    per-namespace/per-user limits. This will allow the server admin to
    set sensible global limits, which can further be tuned inside every
    individual user namespace. Additionally, in order to preserve the
    sysctl ABI make the existing inotify instances/watches sysctls
    modify the values of the initial user namespace.
    Signed-off-by: default avatarNikolay Borisov <n.borisov.lkml@gmail.com>
    Acked-by: default avatarJan Kara <jack@suse.cz>
    Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
    Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
    1cce1eea
ucount.c 5.63 KB