Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Mimi Zohar <zohar@xxxxxxxxxxxxx>, linux-integrity@xxxxxxxxxxxxxxx
Subject: Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns
From: Stefan Berger <stefanb@xxxxxxxxxxxxx>
Date: Wed, 23 Feb 2022 16:06:39 -0500
Cc: serge@xxxxxxxxxx, christian.brauner@xxxxxxxxxx, containers@xxxxxxxxxxxxxxx, dmitry.kasatkin@xxxxxxxxx, ebiederm@xxxxxxxxxxxx, krzysztof.struczynski@xxxxxxxxxx, roberto.sassu@xxxxxxxxxx, mpeters@xxxxxxxxxx, lhinds@xxxxxxxxxx, lsturman@xxxxxxxxxx, puiterwi@xxxxxxxxxx, jejb@xxxxxxxxxxxxx, jamjoom@xxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, paul@xxxxxxxxxxxxxx, rgb@xxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, jmorris@xxxxxxxxx
In-reply-to: <9efd4502617e39280ca47a91d395eae154a328a4.camel@linux.ibm.com>
References: <20220201203735.164593-1-stefanb@linux.ibm.com> <20220201203735.164593-27-stefanb@linux.ibm.com> <5e4a862917785972281bbcb483404da01b71e801.camel@linux.ibm.com> <479f09e7-0d39-0281-45ef-5cce4861d24d@linux.ibm.com> <8a4f9cb6cab5ba04eb61e346d0fca16efa4c6703.camel@linux.ibm.com> <46156a90-d6a6-a0cc-247a-3ceb29f1cf75@linux.ibm.com> <9efd4502617e39280ca47a91d395eae154a328a4.camel@linux.ibm.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0


On 2/23/22 15:59, Mimi Zohar wrote:

On Wed, 2022-02-23 at 15:45 -0500, Stefan Berger wrote:

avoid huge kernel memory consumption in the case that a cgroup limit for
memory was not set up.

Ok, that is the motivation for the this patch.

Any user can create several user namespaces and with that several IMAnamespaces and now we want to limit the number of rules inside an IMAnamespace to limit the amount of kernel memory the policy rules areconsuming. It isn't necessarily related to cgroups but a hard limit onthe number of rules to avoid wasted of memory.

References:
- [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns
  - From: Stefan Berger
- [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns
  - From: Stefan Berger
- Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns
  - From: Mimi Zohar
- Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns
  - From: Stefan Berger
- Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns
  - From: Mimi Zohar
- Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns
  - From: Stefan Berger
- Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns
  - From: Mimi Zohar

Prev by Date: Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns
Next by Date: Re: [PATCH v10 24/27] ima: Introduce securityfs file to activate an IMA namespace
Previous by thread: Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns
Next by thread: [PATCH v10 03/27] ima: Return error code obtained from securityfs functions
Index(es):
- Date
- Thread

[Index of Archives] [Cgroups] [Netdev] [Linux Wireless] [Kernel Newbies] [Security] [Linux for Hams] [Netfilter] [Bugtraq] [Yosemite Forum] [MIPS Linux] [ARM Linux] [Linux RAID] [Linux Admin] [Samba]