CME-704

cgroups v2 Resource Limits

Isolate OS/Kernel High Confidence

Description

Constrains CPU, memory, I/O, and PIDs for process groups using cgroups v2 unified hierarchy. Prevents resource exhaustion attacks and limits blast radius of runaway or malicious processes.

CVSS Vector Impacts

Metric Transition Rationale
Availability (A) H L Process cannot exhaust host resources; OOM killer scoped to cgroup

CWE Relationships

CWE-400 CWE-770

Verification

Check cgroup v2 is mounted and limits are set

$ mount | grep cgroup2
# Expected: cgroup2
Platform: linux
$ cat /sys/fs/cgroup/<slice>/memory.max
# Expected: numeric limit
Platform: linux
← CME-703: Rootless Containers CME-705: Dropped Linux Capabilities →