mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-16 05:26:07 +00:00
Merge branch 'ucount-rlimit-fixes-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull ucounts fix from Eric Biederman: "Etienne Dechamps recently found a regression caused by enforcing RLIMIT_NPROC for root where the rlimit was not previously enforced. Michal Koutný had previously pointed out the inconsistency in enforcing the RLIMIT_NPROC that had been on the root owned process after the root user creates a user namespace. Which makes the fix for the regression simply removing the inconsistency" * 'ucount-rlimit-fixes-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: ucounts: Fix systemd LimitNPROC with private users regression
This commit is contained in:
commit
5859a2b199
@ -58,6 +58,18 @@ static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
|
||||
cred->user_ns = user_ns;
|
||||
}
|
||||
|
||||
static unsigned long enforced_nproc_rlimit(void)
|
||||
{
|
||||
unsigned long limit = RLIM_INFINITY;
|
||||
|
||||
/* Is RLIMIT_NPROC currently enforced? */
|
||||
if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) ||
|
||||
(current_user_ns() != &init_user_ns))
|
||||
limit = rlimit(RLIMIT_NPROC);
|
||||
|
||||
return limit;
|
||||
}
|
||||
|
||||
/*
|
||||
* Create a new user namespace, deriving the creator from the user in the
|
||||
* passed credentials, and replacing that user with the new root user for the
|
||||
@ -122,7 +134,7 @@ int create_user_ns(struct cred *new)
|
||||
for (i = 0; i < MAX_PER_NAMESPACE_UCOUNTS; i++) {
|
||||
ns->ucount_max[i] = INT_MAX;
|
||||
}
|
||||
set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC));
|
||||
set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_NPROC, enforced_nproc_rlimit());
|
||||
set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_MSGQUEUE, rlimit(RLIMIT_MSGQUEUE));
|
||||
set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_SIGPENDING, rlimit(RLIMIT_SIGPENDING));
|
||||
set_rlimit_ucount_max(ns, UCOUNT_RLIMIT_MEMLOCK, rlimit(RLIMIT_MEMLOCK));
|
||||
|
Loading…
x
Reference in New Issue
Block a user