Well, some comments.
The patch on the ftp side was made againt 2.3.17 kernel. It's a fresh port
of the work that Alan Cox started and I continued more than a half of year
ago.
It was clear that per-process resource limits aren't sufficient to fully
protect the system. There are some known exploits which being launched by a
unprivileged user are able to completely halt the system in milliseconds.
The patch implements accounting and limitation for unswappable kernel memory
and other critical resources consumed by processes of a user.
At this moment the patch accounts some kinds of unswappable kernel memory,
mlock()ed pages, total processes address space, IPC shared memory segment
size. The full list is in the patch (include/linux/beancounter.h).
In general Configure.help and include/linux/beancounter.h in the patch give
enough information.
As Alan has mentioned the patch isn't complete yet. There are some
resources which must be covered by the accounting too.
The original (old) version of the patch was tested in details on both SMP and
non-SMP systems. So the patch basically should work. But I haven't used it
yet on production systems.
Regards
Andrey V.
Savochkin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/