Propagate PID limit from OCI to sandbox cgroup

Closes #2489

PiperOrigin-RevId: 308362434

2 files changed, 18 insertions, 2 deletions

diff --git a/runsc/cgroup/cgroup.go b/runsc/cgroup/cgroup.go
index 653ca5f52..fa40ee509 100644
--- a/runsc/cgroup/cgroup.go
+++ b/runsc/cgroup/cgroup.go
@@ -45,13 +45,13 @@ var controllers = map[string]controller{
 	"memory":   &memory{},
 	"net_cls":  &networkClass{},
 	"net_prio": &networkPrio{},
+	"pids":     &pids{},
 
 	// These controllers either don't have anything in the OCI spec or is
-	// irrevalant for a sandbox, e.g. pids.
+	// irrelevant for a sandbox.
 	"devices":    &noop{},
 	"freezer":    &noop{},
 	"perf_event": &noop{},
-	"pids":       &noop{},
 	"systemd":    &noop{},
 }
 
@@ -525,3 +525,13 @@ func (*networkPrio) set(spec *specs.LinuxResources, path string) error {
 	}
 	return nil
 }
+
+type pids struct{}
+
+func (*pids) set(spec *specs.LinuxResources, path string) error {
+	if spec.Pids == nil {
+		return nil
+	}
+	val := strconv.FormatInt(spec.Pids.Limit, 10)
+	return setValue(path, "pids.max", val)
+}
diff --git a/test/root/cgroup_test.go b/test/root/cgroup_test.go
index 8876d0d61..d0634b5c3 100644
--- a/test/root/cgroup_test.go
+++ b/test/root/cgroup_test.go
@@ -199,6 +199,12 @@ func TestCgroup(t *testing.T) {
 			want:           "750",
 			skipIfNotFound: true, // blkio groups may not be available.
 		},
+		{
+			arg:  "--pids-limit=1000",
+			ctrl: "pids",
+			file: "pids.max",
+			want: "1000",
+		},
 	}
 
 	args := make([]string, 0, len(attrs))