> But it should be fairly easy to just add a 'struct ratelimit_state' to > 'struct user_struct', and then you can easily just use > > '&file->f_cred->user->ratelimit' > > and you're done. Make sure the initial root user has it unlimited, and > limit it to something reasonable for all other user allocations.
How about uid name spaces? Someone untrusted in a container could create a lot of uids and switch between them. A global rate limit seems better. While in theory it allows DoS it's probably not worse than a lot of others we have with other resources, and it's relatively harmless. -Andi
