On Wed, 2022-02-23 at 15:45 -0500, Stefan Berger wrote:Any user can create several user namespaces and with that several IMA namespaces and now we want to limit the number of rules inside an IMA namespace to limit the amount of kernel memory the policy rules are consuming. It isn't necessarily related to cgroups but a hard limit on the number of rules to avoid wasted of memory.
avoid huge kernel memory consumption in the case that a cgroup limit forOk, that is the motivation for the this patch.
memory was not set up.