On Thu, Oct 06, 2016 at 02:33:53PM -0500, Eric W. Biederman wrote: > Andrei Vagin <avagin@xxxxxxxxxxxxx> writes: > > > Hello Eric, > > > > What do you think about this series? It should be useful to know current > > usage for user counters. > > I am in favor of knowing the values. Unless there is a good reason not > to we should export the values with a read-only sysctl. I believe that > is what other similar limits do. I want to have a place where I will be able to get limits for all users. I can't imagine how to do this with a sysctl. It will looks like multiline sysct-s, what doesn't look good. I will think. If you will have any ideas let me know. Thanks. > > As for having per process knowledge I think that is probably something > we want to solve for these sysctls as well. > > I don't think I saw anyone looking at this code from the perspective of > information leaks. I think we need to ask that question, as similar > interfaces have been problematic from an information leak point of view. It's a good question. > > In short I what you are trying to do here is valuable, I just want > to make certain we have a maintainable pattern when we export these. > > Eric > > > > > Thanks, > > Andrei > > > > On Mon, Aug 15, 2016 at 01:10:20PM -0700, Andrei Vagin wrote: > >> Recently Eric added user namespace counters. User namespace counters is > >> a feature that allows to limit the number of various kernel objects a > >> user can create. These limits are set via /proc/sys/user/ sysctls on a > >> per user namespace basis and are applicable to all users in that > >> namespace. > >> > >> User namespace counters are not in the upstream tree yet, > >> you can find them in Eric's tree: > >> https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/log/?h=for-testing > >> > >> This patch adds /proc/<pid>/userns_counts files to provide current usage > >> of user namespace counters. > >> > >> > cat /proc/813/userns_counts > >> user_namespaces 101000 1 > >> pid_namespaces 101000 1 > >> ipc_namespaces 101000 4 > >> net_namespaces 101000 2 > >> mnt_namespaces 101000 5 > >> mnt_namespaces 100000 1 > >> > >> The meanings of the columns are as follows, from left to right: > >> > >> Name Object name > >> UID User ID > >> Usage Current usage > >> > >> The full documentation is in the second patch. > >> > >> v2: - describe this file in Documentation/filesystems/proc.txt > >> - move and rename into /proc/<pid>/userns_counts > >> > >> Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> > >> Cc: Kees Cook <keescook@xxxxxxxxxxxx> > >> Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > >> Signed-off-by: Andrei Vagin <avagin@xxxxxxxxxx> > >> > >> Andrei Vagin (1): > >> kernel: show current values of user namespace counters > >> > >> Kirill Kolyshkin (1): > >> Documentation: describe /proc/<pid>/userns_counts > >> > >> Documentation/filesystems/proc.txt | 30 +++++++++++ > >> fs/proc/array.c | 55 ++++++++++++++++++++ > >> fs/proc/base.c | 1 + > >> fs/proc/internal.h | 1 + > >> include/linux/user_namespace.h | 8 +++ > >> kernel/ucount.c | 102 +++++++++++++++++++++++++++++++++++++ > >> 6 files changed, 197 insertions(+) > >> > >> -- > >> 2.5.5 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
