Re: [PATCH 0/8] ucounts: RLIMIT_NPROC fixes
From: Eric W. Biederman
Date: Fri Feb 11 2022 - 14:23:21 EST
Shuah Khan <skhan@xxxxxxxxxxxxxxxxxxx> writes:
> On 2/10/22 7:01 PM, Eric W. Biederman wrote:
>> Michal Koutný recently found some bugs in the enforcement of
>> RLIMIT_NPROC in the recent ucount rlimit implementation.
>> I saw some additional bugs and some cleaner ways to fix the problem so
>> instead of starting with his fixes these are my own.
>> I am aiming to send the first 5 of these to Linus once they have been
>> reviewed. Two more are fixes in principle but I don't think do anything
>> in practice. The last one is just a cleanup to prevent future
>> divergence of RLIMIT_NPROC logic.
>> Eric W. Biederman (8):
>> ucounts: Fix RLIMIT_NPROC regression
>> ucounts: Fix set_cred_ucounts
>> ucounts: Fix and simplify RLIMIT_NPROC handling during setuid()+execve
>> ucounts: Only except the root user in init_user_ns from RLIMIT_NPROC
>
> Should this be "Only exempt"?
Yes.
> > ucounts: Handle wrapping in is_ucounts_overlimit
>> ucounts: Handle inc_rlimit_ucounts wrapping in fork
>> rlimit: For RLIMIT_NPROC test the child not the parent for capabilites
>> ucounts: Use the same code to enforce RLIMIT_NPROC in fork and exec
>> fs/exec.c | 12 +++++-------
>> include/linux/sched.h | 2 +-
>> include/linux/sched/signal.h | 2 ++
>> kernel/cred.c | 24 +++++++++++-------------
>> kernel/fork.c | 32 ++++++++++++++++++++++++--------
>> kernel/sys.c | 14 --------------
>> kernel/ucount.c | 3 ++-
>> kernel/user_namespace.c | 2 ++
>> 8 files changed, 47 insertions(+), 44 deletions(-)
>> Eric
>>
>
> Do we need updates to selftests - Michal's patch series included changes to
> selftests/exec
selftests would be good.
Eric