mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-14 17:35:42 +00:00
49b786ea14
Adds a new single-purpose PIDs subsystem to limit the number of tasks that can be forked inside a cgroup. Essentially this is an implementation of RLIMIT_NPROC that applies to a cgroup rather than a process tree. However, it should be noted that organisational operations (adding and removing tasks from a PIDs hierarchy) will *not* be prevented. Rather, the number of tasks in the hierarchy cannot exceed the limit through forking. This is due to the fact that, in the unified hierarchy, attach cannot fail (and it is not possible for a task to overcome its PIDs cgroup policy limit by attaching to a child cgroup -- even if migrating mid-fork it must be able to fork in the parent first). PIDs are fundamentally a global resource, and it is possible to reach PID exhaustion inside a cgroup without hitting any reasonable kmemcg policy. Once you've hit PID exhaustion, you're only in a marginally better state than OOM. This subsystem allows PID exhaustion inside a cgroup to be prevented. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> Signed-off-by: Tejun Heo <tj@kernel.org>
87 lines
1.4 KiB
C
87 lines
1.4 KiB
C
/*
|
|
* List of cgroup subsystems.
|
|
*
|
|
* DO NOT ADD ANY SUBSYSTEM WITHOUT EXPLICIT ACKS FROM CGROUP MAINTAINERS.
|
|
*/
|
|
|
|
/*
|
|
* This file *must* be included with SUBSYS() defined.
|
|
* SUBSYS_TAG() is a noop if undefined.
|
|
*/
|
|
|
|
#ifndef SUBSYS_TAG
|
|
#define __TMP_SUBSYS_TAG
|
|
#define SUBSYS_TAG(_x)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_CPUSETS)
|
|
SUBSYS(cpuset)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_CGROUP_SCHED)
|
|
SUBSYS(cpu)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_CGROUP_CPUACCT)
|
|
SUBSYS(cpuacct)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_BLK_CGROUP)
|
|
SUBSYS(blkio)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_MEMCG)
|
|
SUBSYS(memory)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_CGROUP_DEVICE)
|
|
SUBSYS(devices)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_CGROUP_FREEZER)
|
|
SUBSYS(freezer)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
|
|
SUBSYS(net_cls)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_CGROUP_PERF)
|
|
SUBSYS(perf_event)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
|
|
SUBSYS(net_prio)
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_CGROUP_HUGETLB)
|
|
SUBSYS(hugetlb)
|
|
#endif
|
|
|
|
/*
|
|
* Subsystems that implement the can_fork() family of callbacks.
|
|
*/
|
|
SUBSYS_TAG(CANFORK_START)
|
|
|
|
#if IS_ENABLED(CONFIG_CGROUP_PIDS)
|
|
SUBSYS(pids)
|
|
#endif
|
|
|
|
SUBSYS_TAG(CANFORK_END)
|
|
|
|
/*
|
|
* The following subsystems are not supported on the default hierarchy.
|
|
*/
|
|
#if IS_ENABLED(CONFIG_CGROUP_DEBUG)
|
|
SUBSYS(debug)
|
|
#endif
|
|
|
|
#ifdef __TMP_SUBSYS_TAG
|
|
#undef __TMP_SUBSYS_TAG
|
|
#undef SUBSYS_TAG
|
|
#endif
|
|
|
|
/*
|
|
* DO NOT ADD ANY SUBSYSTEM WITHOUT EXPLICIT ACKS FROM CGROUP MAINTAINERS.
|
|
*/
|