On Sun, Sep 05, 2021 at 02:12:13PM +0800, 杨男子 wrote: > Hi, our team has found a problem in fs system on Linux kernel v5.10, leading to DoS attacks. > > The struct file can be exhausted by normal users by calling multiple syscalls such as timerfd_create/pipe/open etc. Although the rlimit limits the max fds could be opened by a single process. A normal user can fork multiple processes, repeatedly make the timerfd_create/pipe/open syscalls and exhaust all struct files. As a result, all struct-file-allocation related operations of all other users will fail. > > In fact, we try this attack inside a deprivileged docker container without any capabilities. The processes in the docker can exhaust all struct-file on the host kernel. We use a machine with 16G memory. We start 2000 processes, each process with a 1024 limit. In total, around 1613400 number struct-file are consumed and there are no available struct-file in the kernel. The total consumed memory is less than 2G , which is small, so memory control group can not help. As has already been pointed out, containers are not any sort of "resource boundry" to the overall system. If you are concerned about processes using too many file handles, and starving other processes on the system, then restrict them through the nr_open sysctrl setting, that is what it is there for. thanks, greg k-h
