Andrei Vagin <avagin@xxxxxxxxxxxxx> writes: > Hello Eric, > > What do you think about this series? It should be useful to know current > usage for user counters. I am in favor of knowing the values. Unless there is a good reason not to we should export the values with a read-only sysctl. I believe that is what other similar limits do. As for having per process knowledge I think that is probably something we want to solve for these sysctls as well. I don't think I saw anyone looking at this code from the perspective of information leaks. I think we need to ask that question, as similar interfaces have been problematic from an information leak point of view. In short I what you are trying to do here is valuable, I just want to make certain we have a maintainable pattern when we export these. Eric > > Thanks, > Andrei > > On Mon, Aug 15, 2016 at 01:10:20PM -0700, Andrei Vagin wrote: >> Recently Eric added user namespace counters. User namespace counters is >> a feature that allows to limit the number of various kernel objects a >> user can create. These limits are set via /proc/sys/user/ sysctls on a >> per user namespace basis and are applicable to all users in that >> namespace. >> >> User namespace counters are not in the upstream tree yet, >> you can find them in Eric's tree: >> https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/log/?h=for-testing >> >> This patch adds /proc/<pid>/userns_counts files to provide current usage >> of user namespace counters. >> >> > cat /proc/813/userns_counts >> user_namespaces 101000 1 >> pid_namespaces 101000 1 >> ipc_namespaces 101000 4 >> net_namespaces 101000 2 >> mnt_namespaces 101000 5 >> mnt_namespaces 100000 1 >> >> The meanings of the columns are as follows, from left to right: >> >> Name Object name >> UID User ID >> Usage Current usage >> >> The full documentation is in the second patch. >> >> v2: - describe this file in Documentation/filesystems/proc.txt >> - move and rename into /proc/<pid>/userns_counts >> >> Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> >> Cc: Kees Cook <keescook@xxxxxxxxxxxx> >> Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> >> Signed-off-by: Andrei Vagin <avagin@xxxxxxxxxx> >> >> Andrei Vagin (1): >> kernel: show current values of user namespace counters >> >> Kirill Kolyshkin (1): >> Documentation: describe /proc/<pid>/userns_counts >> >> Documentation/filesystems/proc.txt | 30 +++++++++++ >> fs/proc/array.c | 55 ++++++++++++++++++++ >> fs/proc/base.c | 1 + >> fs/proc/internal.h | 1 + >> include/linux/user_namespace.h | 8 +++ >> kernel/ucount.c | 102 +++++++++++++++++++++++++++++++++++++ >> 6 files changed, 197 insertions(+) >> >> -- >> 2.5.5 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
