> > I would like the system admin to be able to limit 100 sb marks on /home > > (filtered or not) because that impacts the send_to_group iteration. > > OK, so per-sb limitation of sb mark number... > > > I would also like systemd to be able to grant a smaller quota of filtered > > sb marks per user when creating and mapping the idmapped mounts > > at /home/foo$N > > ... and a ucount to go with it? > > > I *think* we can achieve that, by accounting the sb marks to uid 0 > > (who mounted /home) in ucounts entry "fanotify_sb_marks". > > But a superblock can be mounted in multiple places, in multiple user > namespaces, potentially by different users (think of nested containers)? So > if we want a per-sb limit on sb marks, I think that accounting those per > user won't really achieve that? > I agree. It won't. We can start with the global max_fanotify_sb_marks. I do not have an idea how to make that workable using ucounts. Thanks, Amir.
