mirror of
https://github.com/Fishwaldo/Star64_linux.git
synced 2025-03-30 19:15:14 +00:00
21d1c5e386
The rlimit counter is tied to uid in the user_namespace. This allows rlimit values to be specified in userns even if they are already globally exceeded by the user. However, the value of the previous user_namespaces cannot be exceeded. To illustrate the impact of rlimits, let's say there is a program that does not fork. Some service-A wants to run this program as user X in multiple containers. Since the program never fork the service wants to set RLIMIT_NPROC=1. service-A \- program (uid=1000, container1, rlimit_nproc=1) \- program (uid=1000, container2, rlimit_nproc=1) The service-A sets RLIMIT_NPROC=1 and runs the program in container1. When the service-A tries to run a program with RLIMIT_NPROC=1 in container2 it fails since user X already has one running process. We cannot use existing inc_ucounts / dec_ucounts because they do not allow us to exceed the maximum for the counter. Some rlimits can be overlimited by root or if the user has the appropriate capability. Changelog v11: * Change inc_rlimit_ucounts() which now returns top value of ucounts. * Drop inc_rlimit_ucounts_and_test() because the return code of inc_rlimit_ucounts() can be checked. Signed-off-by: Alexey Gladkov <legion@kernel.org> Link: https://lkml.kernel.org/r/c5286a8aa16d2d698c222f7532f3d735c82bc6bc.1619094428.git.legion@kernel.org Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
63 lines
1.7 KiB
C
63 lines
1.7 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _LINUX_SCHED_USER_H
|
|
#define _LINUX_SCHED_USER_H
|
|
|
|
#include <linux/uidgid.h>
|
|
#include <linux/atomic.h>
|
|
#include <linux/refcount.h>
|
|
#include <linux/ratelimit.h>
|
|
|
|
/*
|
|
* Some day this will be a full-fledged user tracking system..
|
|
*/
|
|
struct user_struct {
|
|
refcount_t __count; /* reference count */
|
|
atomic_t sigpending; /* How many pending signals does this user have? */
|
|
#ifdef CONFIG_FANOTIFY
|
|
atomic_t fanotify_listeners;
|
|
#endif
|
|
#ifdef CONFIG_EPOLL
|
|
atomic_long_t epoll_watches; /* The number of file descriptors currently watched */
|
|
#endif
|
|
#ifdef CONFIG_POSIX_MQUEUE
|
|
/* protected by mq_lock */
|
|
unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
|
|
#endif
|
|
unsigned long locked_shm; /* How many pages of mlocked shm ? */
|
|
unsigned long unix_inflight; /* How many files in flight in unix sockets */
|
|
atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */
|
|
|
|
/* Hash table maintenance information */
|
|
struct hlist_node uidhash_node;
|
|
kuid_t uid;
|
|
|
|
#if defined(CONFIG_PERF_EVENTS) || defined(CONFIG_BPF_SYSCALL) || \
|
|
defined(CONFIG_NET) || defined(CONFIG_IO_URING)
|
|
atomic_long_t locked_vm;
|
|
#endif
|
|
#ifdef CONFIG_WATCH_QUEUE
|
|
atomic_t nr_watches; /* The number of watches this user currently has */
|
|
#endif
|
|
|
|
/* Miscellaneous per-user rate limit */
|
|
struct ratelimit_state ratelimit;
|
|
};
|
|
|
|
extern int uids_sysfs_init(void);
|
|
|
|
extern struct user_struct *find_user(kuid_t);
|
|
|
|
extern struct user_struct root_user;
|
|
#define INIT_USER (&root_user)
|
|
|
|
|
|
/* per-UID process charging. */
|
|
extern struct user_struct * alloc_uid(kuid_t);
|
|
static inline struct user_struct *get_uid(struct user_struct *u)
|
|
{
|
|
refcount_inc(&u->__count);
|
|
return u;
|
|
}
|
|
extern void free_uid(struct user_struct *);
|
|
|
|
#endif /* _LINUX_SCHED_USER_H */
|