Nikolay Borisov <n.borisov.lkml@xxxxxxxxx> writes: > This patchset converts inotify to using the newly introduced > per-userns sysctl infrastructure. > > Currently the inotify instances/watches are being accounted in the > user_struct structure. This means that in setups where multiple > users in unprivileged containers map to the same underlying > real user (i.e. pointing to the same user_struct) the inotify limits > are going to be shared as well, allowing one user(or application) to exhaust > all others limits. > > Fix this by switching the inotify sysctls to using the > per-namespace/per-user limits. This will allow the server admin to > set sensible global limits, which can further be tuned inside every > individual user namespace. Additionally, in order to preserve the > sysctl ABI make the existing inotify instances/watches sysctls > modify the values of the initial user namespace. > > Signed-off-by: Nikolay Borisov <n.borisov.lkml@xxxxxxxxx> > Acked-by: Jan Kara <jack@xxxxxxx> > Acked-by: Serge Hallyn <serge@xxxxxxxxxx> > --- > > Okay, so here is another version, which should > hopefully be free of slab corruptions. There was an issue > where in ucount.c the ifdef was checking the CONFIG_INOTIFY_USER_ > (pay attention to the trailing _, this was clearly a mistake). This > led to the user_table (and all duplicated from it tables) to not > contain the inotify-related members. In my local testing I got > kasan splats even during kernel boot, due to out-of-bound writes. > Let's see how this version fares. Thank you I will place this in my for-testing branch shortly and see how it fares. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
