Red Hat Bugzilla – Bug 1472410
/dev is mounted as a tmpfs and should be limited in size the same way that /dev/shm is.
Last modified: 2017-07-18 15:43:18 EDT
There is a potential Denial of Service attack from a container against the host by using up 50% of available memory from writing to /dev.
Also needs to be fixed in Fedora.
This is really under docker. But I am not sure it is real important. Since /tmp size is controlled by memory cgroup, this would only allow a user to use 50% of available memory in his container. If the admin does not set any memory limit on a container the processes inside could use 100% or memory.
Created attachment 1300623 [details]
This patch might fix the issue.
Yeah, that should work. Do we want to make it configurable though like the --shm-size flag in docker?
I don't think it would ever grow to that big of a size unless the user is doing something very wrong, the only things that should be in /dev are devicenodes.
Giving a container with a tmpfs limited with size makes sense.