Hi Alexey,
On 1/4/22 12:51, Alexey Gladkov wrote:
Right now, the mqueue sysctls take ipc namespaces into account in a
rather hacky way. This works in most cases, but does not respect the
user namespace.
Within the user namespace, the user cannot change the /proc/sys/fs/mqueue/*
parametres. This poses a problem in the rootless containers.
To solve this I changed the implementation of the mqueue sysctls just
like some other sysctls.
Before this change:
$ echo 5 | unshare -r -U -i tee /proc/sys/fs/mqueue/msg_max
tee: /proc/sys/fs/mqueue/msg_max: Permission denied
5
Could you crosscheck that all (relevant) allocations in ipc/mqueue.c use
GFP_KERNEL_ACCOUNT?
We should not allow normal users to use up all memory.
Otherwise:
The idea is good, the limits do not really prevent using up all memory,
_ACCOUNT is the better approach.
And with _ACCOUNT, it doesn't hurt that the namespace root is able to
set limits.
--
Manfred
