[PATCH 0/8] ucounts: RLIMIT_NPROC fixes

From: Eric W. Biederman
Date: Thu Feb 10 2022 - 21:01:39 EST



Michal Koutný recently found some bugs in the enforcement of
RLIMIT_NPROC in the recent ucount rlimit implementation.

I saw some additional bugs and some cleaner ways to fix the problem so
instead of starting with his fixes these are my own.

I am aiming to send the first 5 of these to Linus once they have been
reviewed. Two more are fixes in principle but I don't think do anything
in practice. The last one is just a cleanup to prevent future
divergence of RLIMIT_NPROC logic.

Eric W. Biederman (8):
ucounts: Fix RLIMIT_NPROC regression
ucounts: Fix set_cred_ucounts
ucounts: Fix and simplify RLIMIT_NPROC handling during setuid()+execve
ucounts: Only except the root user in init_user_ns from RLIMIT_NPROC
ucounts: Handle wrapping in is_ucounts_overlimit
ucounts: Handle inc_rlimit_ucounts wrapping in fork
rlimit: For RLIMIT_NPROC test the child not the parent for capabilites
ucounts: Use the same code to enforce RLIMIT_NPROC in fork and exec

fs/exec.c | 12 +++++-------
include/linux/sched.h | 2 +-
include/linux/sched/signal.h | 2 ++
kernel/cred.c | 24 +++++++++++-------------
kernel/fork.c | 32 ++++++++++++++++++++++++--------
kernel/sys.c | 14 --------------
kernel/ucount.c | 3 ++-
kernel/user_namespace.c | 2 ++
8 files changed, 47 insertions(+), 44 deletions(-)

Eric