1cce1eea0a
This patchset converts inotify to using the newly introduced per-userns sysctl infrastructure. Currently the inotify instances/watches are being accounted in the user_struct structure. This means that in setups where multiple users in unprivileged containers map to the same underlying real user (i.e. pointing to the same user_struct) the inotify limits are going to be shared as well, allowing one user(or application) to exhaust all others limits. Fix this by switching the inotify sysctls to using the per-namespace/per-user limits. This will allow the server admin to set sensible global limits, which can further be tuned inside every individual user namespace. Additionally, in order to preserve the sysctl ABI make the existing inotify instances/watches sysctls modify the values of the initial user namespace. Signed-off-by: Nikolay Borisov <n.borisov.lkml@gmail.com> Acked-by: Jan Kara <jack@suse.cz> Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
50 lines
1.3 KiB
C
50 lines
1.3 KiB
C
#include <linux/fsnotify_backend.h>
|
|
#include <linux/inotify.h>
|
|
#include <linux/slab.h> /* struct kmem_cache */
|
|
|
|
struct inotify_event_info {
|
|
struct fsnotify_event fse;
|
|
int wd;
|
|
u32 sync_cookie;
|
|
int name_len;
|
|
char name[];
|
|
};
|
|
|
|
struct inotify_inode_mark {
|
|
struct fsnotify_mark fsn_mark;
|
|
int wd;
|
|
};
|
|
|
|
static inline struct inotify_event_info *INOTIFY_E(struct fsnotify_event *fse)
|
|
{
|
|
return container_of(fse, struct inotify_event_info, fse);
|
|
}
|
|
|
|
extern void inotify_ignored_and_remove_idr(struct fsnotify_mark *fsn_mark,
|
|
struct fsnotify_group *group);
|
|
extern int inotify_handle_event(struct fsnotify_group *group,
|
|
struct inode *inode,
|
|
struct fsnotify_mark *inode_mark,
|
|
struct fsnotify_mark *vfsmount_mark,
|
|
u32 mask, const void *data, int data_type,
|
|
const unsigned char *file_name, u32 cookie);
|
|
|
|
extern const struct fsnotify_ops inotify_fsnotify_ops;
|
|
|
|
#ifdef CONFIG_INOTIFY_USER
|
|
static inline void dec_inotify_instances(struct ucounts *ucounts)
|
|
{
|
|
dec_ucount(ucounts, UCOUNT_INOTIFY_INSTANCES);
|
|
}
|
|
|
|
static inline struct ucounts *inc_inotify_watches(struct ucounts *ucounts)
|
|
{
|
|
return inc_ucount(ucounts->ns, ucounts->uid, UCOUNT_INOTIFY_WATCHES);
|
|
}
|
|
|
|
static inline void dec_inotify_watches(struct ucounts *ucounts)
|
|
{
|
|
dec_ucount(ucounts, UCOUNT_INOTIFY_WATCHES);
|
|
}
|
|
#endif
|