From: Alexey Gladkov <legion@kernel.org>
To: LKML <linux-kernel@vger.kernel.org>,
Linux Containers <containers@lists.linux.dev>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Christian Brauner <brauner@kernel.org>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>,
Manfred Spraul <manfred@colorfullife.com>
Subject: [PATCH v2 0/3] Allow to change ipc/mq sysctls inside ipc namespace
Date: Tue, 20 Sep 2022 20:08:19 +0200 [thread overview]
Message-ID: <cover.1663696560.git.legion@kernel.org> (raw)
In-Reply-To: <YynnI2ySUkpu9j6S@example.org>
Right now ipc and mq limits count as per ipc namespace, but only real
root can change them. By default, the current values of these limits are
such that it can only be reduced. Since only root can change the values,
it is impossible to reduce these limits in the rootless container.
We can allow limit changes within ipc namespace because mq parameters
are limited by RLIMIT_MSGQUEUE and ipc parameters are not limited to
anything other than cgroups.
--
Alexey Gladkov (3):
sysctl: Allow change system v ipc sysctls inside ipc namespace
sysctl: Allow to change limits for posix messages queues
docs: Add information about ipc sysctls limitations
Documentation/admin-guide/sysctl/kernel.rst | 14 ++++++--
ipc/ipc_sysctl.c | 34 ++++++++++++++++--
ipc/mq_sysctl.c | 38 +++++++++++++++++++++
3 files changed, 80 insertions(+), 6 deletions(-)
--
2.33.4
next prev parent reply other threads:[~2022-09-20 18:10 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-12 16:17 [PATCH v1] sysctl: Allow change system v ipc sysctls inside ipc namespace Alexey Gladkov
2022-07-25 16:16 ` Eric W. Biederman
2022-08-16 15:42 ` Alexey Gladkov
2022-08-16 15:42 ` [PATCH v1 1/3] " Alexey Gladkov
2022-09-19 15:26 ` Eric W. Biederman
2022-09-20 16:15 ` Alexey Gladkov
2022-09-20 18:08 ` Alexey Gladkov [this message]
2022-09-20 18:08 ` [PATCH v2 " Alexey Gladkov
2022-09-21 9:38 ` kernel test robot
2022-09-21 10:41 ` [PATCH v3 0/3] Allow to change ipc/mq " Alexey Gladkov
2022-09-21 10:41 ` [PATCH v3 1/3] sysctl: Allow change system v ipc " Alexey Gladkov
2022-09-21 10:41 ` [PATCH v3 2/3] sysctl: Allow to change limits for posix messages queues Alexey Gladkov
2022-09-21 10:41 ` [PATCH v3 3/3] docs: Add information about ipc sysctls limitations Alexey Gladkov
2024-01-15 15:46 ` [RESEND PATCH v3 0/3] Allow to change ipc/mq sysctls inside ipc namespace Alexey Gladkov
2024-01-15 15:46 ` [RESEND PATCH v3 1/3] sysctl: Allow change system v ipc " Alexey Gladkov
2024-01-15 15:46 ` [RESEND PATCH v3 2/3] docs: Add information about ipc sysctls limitations Alexey Gladkov
2024-01-15 15:46 ` [RESEND PATCH v3 3/3] sysctl: Allow to change limits for posix messages queues Alexey Gladkov
2022-09-20 18:08 ` [PATCH v2 2/3] " Alexey Gladkov
2022-09-20 18:08 ` [PATCH v2 3/3] docs: Add information about ipc sysctls limitations Alexey Gladkov
2022-08-16 15:42 ` [PATCH v1 2/3] sysctl: Allow to change limits for posix messages queues Alexey Gladkov
2022-09-19 15:27 ` Eric W. Biederman
2022-08-16 15:42 ` [PATCH v1 3/3] docs: Add information about ipc sysctls limitations Alexey Gladkov
2022-09-19 15:29 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1663696560.git.legion@kernel.org \
--to=legion@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=containers@lists.linux.dev \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).