Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 2/23/22 15:59, Mimi Zohar wrote:
On Wed, 2022-02-23 at 15:45 -0500, Stefan Berger wrote:

avoid huge kernel memory consumption in the case that a cgroup limit for
memory was not set up.
Ok, that is the motivation for the this patch.

Any user can create several user namespaces and with that several IMA namespaces and now we want to limit the number of rules inside an IMA namespace to limit the amount of kernel memory the policy rules are consuming. It isn't necessarily  related to cgroups but a hard limit on the number of rules to avoid wasted of memory.




[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux