inotify: Convert to using per-namespace limits
authorNikolay Borisov <n.borisov.lkml@gmail.com>
Wed, 14 Dec 2016 13:56:33 +0000 (15:56 +0200)
committerEric W. Biederman <ebiederm@xmission.com>
Mon, 23 Jan 2017 23:03:07 +0000 (12:03 +1300)
commit1cce1eea0aff51201753fcaca421df825b0813b6
tree9717a36b5968a179942e2b2f62d21c3c05cc39c6
parent880a38547ff08715ce4f1daf9a4bb30c87676e68
inotify: Convert to using per-namespace limits

This patchset converts inotify to using the newly introduced
per-userns sysctl infrastructure.

Currently the inotify instances/watches are being accounted in the
user_struct structure. This means that in setups where multiple
users in unprivileged containers map to the same underlying
real user (i.e. pointing to the same user_struct) the inotify limits
are going to be shared as well, allowing one user(or application) to exhaust
all others limits.

Fix this by switching the inotify sysctls to using the
per-namespace/per-user limits. This will allow the server admin to
set sensible global limits, which can further be tuned inside every
individual user namespace. Additionally, in order to preserve the
sysctl ABI make the existing inotify instances/watches sysctls
modify the values of the initial user namespace.

Signed-off-by: Nikolay Borisov <n.borisov.lkml@gmail.com>
Acked-by: Jan Kara <jack@suse.cz>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
fs/notify/inotify/inotify.h
fs/notify/inotify/inotify_fsnotify.c
fs/notify/inotify/inotify_user.c
include/linux/fsnotify_backend.h
include/linux/sched.h
include/linux/user_namespace.h
kernel/ucount.c