• Alexey Gladkov's avatar
    Reimplement RLIMIT_NPROC on top of ucounts · 21d1c5e3
    Alexey Gladkov authored
    The rlimit counter is tied to uid in the user_namespace. This allows
    rlimit values to be specified in userns even if they are already
    globally exceeded by the user. However, the value of the previous
    user_namespaces cannot be exceeded.
    
    To illustrate the impact of rlimits, let's say there is a program that
    does not fork. Some service-A wants to run this program as user X in
    multiple containers. Since the program never fork the service wants to
    set RLIMIT_NPROC=1.
    
    service-A
     \- program (uid=1000, container1, rlimit_nproc=1)
     \- program (uid=1000, container2, rlimit_nproc=1)
    
    The service-A sets RLIMIT_NPROC=1 and runs the program in container1.
    When the service-A tries to run a program with RLIMIT_NPROC=1 in
    container2 it fails since user X already has one running process.
    
    We cannot use existing inc_ucounts / dec_ucounts because they do not
    allow us to exceed the maximum for the counter. Some rlimits can be
    overlimited by root or if the user has the appropriate capability.
    
    Changelog
    
    v11:
    * Change inc_rlimit_ucounts() which now returns top value of ucounts.
    * Drop inc_rlimit_ucounts_and_test() because the return code of
      inc_rlimit_ucounts() can be checked.
    Signed-off-by: default avatarAlexey Gladkov <legion@kernel.org>
    Link: https://lkml.kernel.org/r/c5286a8aa16d2d698c222f7532f3d735c82bc6bc.1619094428.git.legion@kernel.orgSigned-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
    21d1c5e3
ucount.c 7.29 KB