On Tue, Jul 19, 2016 at 6:13 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > This patchset addresses two use cases: > - Implement a sane upper bound on the number of namespaces. > - Provide a way for sandboxes to limit the attack surface from > namespaces. > > The maximum sane case I can imagine is if every process is a fat > process, so I set the maximum number of namespaces to the maximum > number of threads. > > I make these limits recursive and per user namespace so that a > usernamespace root can reduce the limits further. If a user namespace > root raises the limit the limit in the parent namespace will be honored. > > I have cut this implementation to the bare minimum needed to achieve > these objections. > > Assuming nothing problematic shows up in the review I will add these to > my user namespace tree. This looks great; thank you! I think the design is effective. One thought that pops to mind is how does an admin query the current number of active namespaces of a given type? (It's likely this is already exposed somewhere and I just don't know where to look...) -Kees > > These patches are also available at: > git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-testing > > Eric W. Biederman (10): > sysctl: Stop implicitly passing current into sysctl_table_root.lookup > userns: Add per user namespace sysctls. > userns: Add a limit on the number of user namespaces > userns: Generalize the user namespace count into ucount > pidns: Add a limit on the number of pid namespaces > utsns: Add a limit on the number of uts namespaces > ipcns: Add a limit on the number of ipc namespaces > cgroupns: Add a limit on the number of cgroup namespaces > netns: Add a limit on the number of net namespaces > mntns: Add a limit on the number of mount namespaces. > > fs/namespace.c | 19 ++++- > fs/proc/proc_sysctl.c | 14 ++-- > include/linux/sysctl.h | 3 +- > include/linux/user_namespace.h | 40 +++++++++ > ipc/namespace.c | 42 +++++++--- > kernel/cgroup.c | 15 ++++ > kernel/fork.c | 5 ++ > kernel/pid_namespace.c | 22 ++++- > kernel/user_namespace.c | 184 ++++++++++++++++++++++++++++++++++++++--- > kernel/utsname.c | 31 +++++-- > net/core/net_namespace.c | 15 ++++ > net/sysctl_net.c | 4 +- > 12 files changed, 351 insertions(+), 43 deletions(-) > > Eric -- Kees Cook Chrome OS & Brillo Security _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
