On Fri, Oct 12, 2018 at 2:35 AM Jann Horn <jannh@xxxxxxxxxx> wrote: > On Fri, Oct 12, 2018 at 1:40 AM Rick Edgecombe > <rick.p.edgecombe@xxxxxxxxx> wrote: > > This introduces a new rlimit, RLIMIT_MODSPACE, which limits the amount of > > module space a user can use. The intention is to be able to limit module space > > allocations that may come from un-privlidged users inserting e/BPF filters. > > Note that in some configurations (iirc e.g. the default Ubuntu > config), normal users can use the subuid mechanism (the /etc/subuid > config file and the /usr/bin/newuidmap setuid helper) to gain access > to 65536 UIDs, which means that in such a configuration, > RLIMIT_MODSPACE*65537 is the actual limit for one user. (Same thing > applies to RLIMIT_MEMLOCK.) Actually, I may have misremembered, perhaps it's not installed by default - I just checked in a Ubuntu VM, and the newuidmap helper from the uidmap package wasn't installed.
