From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH review 5/6] userns: Allow the userns root to mount ramfs.
Date: Sun, 27 Jan 2013 18:23:21 +0000 [thread overview]
Message-ID: <20130127182321.GA338@mail.hallyn.com> (raw)
In-Reply-To: <87bocb5f8a.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
> "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
>
> > Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
> >>
> >> There is no backing store to ramfs and file creation
> >> rules are the same as for any other filesystem so
> >> it is semantically safe to allow unprivileged users
> >> to mount it.
> >>
> >> The memory control group successfully limits how much
> >> memory ramfs can consume on any system that cares about
> >> a user namespace root using ramfs to exhaust memory
> >> the memory control group can be deployed.
> >
> > But that does mean that to avoid this new type of attack, when handed a
> > new kernel (i.e. by one's distro) one has to explicitly (know about and)
> > configure those limits. The "your distro should do this for you"
> > argument doesn't seem right. And I'd really prefer there not be
> > barriers to user namespaces being compiled in when there don't have to
> > be.
>
> The thing is this really isn't a new type of attack. There are a lot of
Of course.
> existing methods to exhaust memory with the default configuration on
> most distros. All this is is a new method to method to implement such
> an attack.
Right.
...
> > What was your thought on the suggestion to only allow FS_USERNS_MOUNT
> > mounts by users confined in a non-init memory cgroup?
>
> Over design.
Ok. Fair.
> So shrug. The mechanisms that I am suggesting people use already exist,
> and appear to have been present long enough to have made it into debian
> stable release February of 2011.
Heh - right, libcgroup does have its problems, but I don't think there
are any problems with the pam module actually. I'm meant to talk with
the debian maintainer for them soon, will test.
thanks,
-serge
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Linux Containers <containers@lists.linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH review 5/6] userns: Allow the userns root to mount ramfs.
Date: Sun, 27 Jan 2013 18:23:21 +0000 [thread overview]
Message-ID: <20130127182321.GA338@mail.hallyn.com> (raw)
In-Reply-To: <87bocb5f8a.fsf@xmission.com>
Quoting Eric W. Biederman (ebiederm@xmission.com):
> "Serge E. Hallyn" <serge@hallyn.com> writes:
>
> > Quoting Eric W. Biederman (ebiederm@xmission.com):
> >>
> >> There is no backing store to ramfs and file creation
> >> rules are the same as for any other filesystem so
> >> it is semantically safe to allow unprivileged users
> >> to mount it.
> >>
> >> The memory control group successfully limits how much
> >> memory ramfs can consume on any system that cares about
> >> a user namespace root using ramfs to exhaust memory
> >> the memory control group can be deployed.
> >
> > But that does mean that to avoid this new type of attack, when handed a
> > new kernel (i.e. by one's distro) one has to explicitly (know about and)
> > configure those limits. The "your distro should do this for you"
> > argument doesn't seem right. And I'd really prefer there not be
> > barriers to user namespaces being compiled in when there don't have to
> > be.
>
> The thing is this really isn't a new type of attack. There are a lot of
Of course.
> existing methods to exhaust memory with the default configuration on
> most distros. All this is is a new method to method to implement such
> an attack.
Right.
...
> > What was your thought on the suggestion to only allow FS_USERNS_MOUNT
> > mounts by users confined in a non-init memory cgroup?
>
> Over design.
Ok. Fair.
> So shrug. The mechanisms that I am suggesting people use already exist,
> and appear to have been present long enough to have made it into debian
> stable release February of 2011.
Heh - right, libcgroup does have its problems, but I don't think there
are any problems with the pam module actually. I'm meant to talk with
the debian maintainer for them soon, will test.
thanks,
-serge
next prev parent reply other threads:[~2013-01-27 18:23 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-26 2:15 [PATCH review 0/6] miscelaneous user namespace patches Eric W. Biederman
2013-01-26 2:15 ` Eric W. Biederman
[not found] ` <87ehh8it9s.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 2:19 ` [PATCH review 1/6] userns: Avoid recursion in put_user_ns Eric W. Biederman
2013-01-26 2:19 ` Eric W. Biederman
2013-01-26 20:58 ` Serge E. Hallyn
[not found] ` <877gn0it3t.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 20:58 ` Serge E. Hallyn
2013-01-28 14:51 ` Vasily Kulikov
2013-01-28 14:51 ` Vasily Kulikov
2013-01-28 16:34 ` Eric W. Biederman
2013-01-28 16:34 ` Eric W. Biederman
2013-01-26 2:21 ` [PATCH review 2/6] userns: Allow any uid or gid mappings that don't overlap Eric W. Biederman
2013-01-26 2:21 ` Eric W. Biederman
[not found] ` <87zjzwhegj.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 21:08 ` Serge E. Hallyn
2013-01-26 21:08 ` Serge E. Hallyn
2013-01-28 14:28 ` Aristeu Rozanski
2013-01-28 14:28 ` Aristeu Rozanski
[not found] ` <20130128142816.GU17632-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-01-28 14:41 ` Lord Glauber Costa of Sealand
2013-01-28 14:41 ` Lord Glauber Costa of Sealand
[not found] ` <51068E23.5040000-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-01-28 15:12 ` Aristeu Rozanski
2013-01-28 15:12 ` Aristeu Rozanski
2013-01-26 2:22 ` [PATCH review 3/6] userns: Recommend use of memory control groups Eric W. Biederman
2013-01-26 2:22 ` Eric W. Biederman
[not found] ` <87txq4hedl.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 21:13 ` Serge E. Hallyn
2013-01-26 21:13 ` Serge E. Hallyn
[not found] ` <20130126211312.GD11274-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-01-27 6:19 ` Eric W. Biederman
2013-01-27 6:19 ` Eric W. Biederman
2013-01-28 7:37 ` Lord Glauber Costa of Sealand
2013-01-28 7:37 ` Lord Glauber Costa of Sealand
[not found] ` <51062AB5.9060203-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-01-28 7:50 ` Lord Glauber Costa of Sealand
2013-01-28 7:50 ` Lord Glauber Costa of Sealand
2013-01-28 8:14 ` Eric W. Biederman
[not found] ` <87k3qxu3kp.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-28 8:22 ` Lord Glauber Costa of Sealand
2013-01-28 8:22 ` Lord Glauber Costa of Sealand
[not found] ` <51063558.1010402-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-01-28 16:19 ` Eric W. Biederman
2013-01-28 16:19 ` Eric W. Biederman
[not found] ` <87k3qxs2ko.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-28 16:37 ` Lord Glauber Costa of Sealand
2013-01-28 16:37 ` Lord Glauber Costa of Sealand
2013-01-28 17:18 ` Eric W. Biederman
[not found] ` <5106A941.6060403-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-01-28 17:18 ` Eric W. Biederman
[not found] ` <51062DA8.1060804-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-01-28 8:14 ` Eric W. Biederman
2013-01-28 8:05 ` Eric W. Biederman
2013-01-28 8:05 ` Eric W. Biederman
2013-01-26 2:23 ` [PATCH review 4/6] userns: Allow the userns root to mount of devpts Eric W. Biederman
2013-01-26 2:23 ` Eric W. Biederman
[not found] ` <87obgchecv.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 21:22 ` Serge E. Hallyn
2013-01-26 21:22 ` Serge E. Hallyn
2013-01-26 2:26 ` [PATCH review 5/6] userns: Allow the userns root to mount ramfs Eric W. Biederman
2013-01-26 2:26 ` Eric W. Biederman
[not found] ` <87ip6khe7w.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 21:29 ` Serge E. Hallyn
2013-01-26 21:29 ` Serge E. Hallyn
[not found] ` <20130126212918.GG11274-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-01-27 6:09 ` Eric W. Biederman
2013-01-27 6:09 ` Eric W. Biederman
[not found] ` <87bocb5f8a.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-27 18:23 ` Serge E. Hallyn [this message]
2013-01-27 18:23 ` Serge E. Hallyn
2013-01-27 18:23 ` Serge E. Hallyn
2013-01-27 18:23 ` Serge E. Hallyn
2013-01-26 2:26 ` [PATCH review 6/6] userns: Allow the userns root to mount tmpfs Eric W. Biederman
2013-01-26 2:26 ` Eric W. Biederman
[not found] ` <87d2wshe6v.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-27 18:23 ` Serge E. Hallyn
2013-01-27 18:23 ` Serge E. Hallyn
2013-01-28 1:28 ` Gao feng
2013-01-28 1:28 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130127182321.GA338@mail.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.