diff for duplicates of <cover.1613392826.git.gladkov.alexey@gmail.com> diff --git a/a/1.txt b/N1/1.txt index 20406e4..cc8aedd 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,28 +1,136 @@ -Spam detection software, running on the system "smtp3.osuosl.org", -has identified this incoming email as possible spam. The original -message has been attached to this so you can view it or label -similar future email. If you have any questions, see -the administrator of that system for details. - -Content preview: Preface ------- These patches are for binding the rlimit counters - to a user in user namespace. This patch set can be applied on top of: git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git - v5.11 - -Content analysis details: (5.2 points, 5.0 required) - - pts rule name description ----- ---------------------- -------------------------------------------------- - 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% - [score: 0.4674] - 1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' - headers - 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) - 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail - provider (gladkov.alexey[at]gmail.com) - 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is - CUSTOM_MED - 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record - 0.9 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing - list - 1.9 SPOOFED_FREEMAIL No description available. - 0.0 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be... +Preface +------- +These patches are for binding the rlimit counters to a user in user namespace. +This patch set can be applied on top of: + +git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.11 + +Problem +------- +The RLIMIT_NPROC, RLIMIT_MEMLOCK, RLIMIT_SIGPENDING, RLIMIT_MSGQUEUE rlimits +implementation places the counters in user_struct [1]. These limits are global +between processes and persists for the lifetime of the process, even if +processes are in different user namespaces. + +To illustrate the impact of rlimits, let's say there is a program that does not +fork. Some service-A wants to run this program as user X in multiple containers. +Since the program never fork the service wants to set RLIMIT_NPROC=1. + +service-A + \- program (uid=1000, container1, rlimit_nproc=1) + \- program (uid=1000, container2, rlimit_nproc=1) + +The service-A sets RLIMIT_NPROC=1 and runs the program in container1. When the +service-A tries to run a program with RLIMIT_NPROC=1 in container2 it fails +since user X already has one running process. + +The problem is not that the limit from container1 affects container2. The +problem is that limit is verified against the global counter that reflects +the number of processes in all containers. + +This problem can be worked around by using different users for each container +but in this case we face a different problem of uid mapping when transferring +files from one container to another. + +Eric W. Biederman mentioned this issue [2][3]. + +Introduced changes +------------------ +To address the problem, we bind rlimit counters to user namespace. Each counter +reflects the number of processes in a given uid in a given user namespace. The +result is a tree of rlimit counters with the biggest value at the root (aka +init_user_ns). The limit is considered exceeded if it's exceeded up in the tree. + +[1] https://lore.kernel.org/containers/87imd2incs.fsf@x220.int.ebiederm.org/ +[2] https://lists.linuxfoundation.org/pipermail/containers/2020-August/042096.html +[3] https://lists.linuxfoundation.org/pipermail/containers/2020-October/042524.html + +Changelog +--------- +v6: +* Fixed issues found by lkp-tests project. +* Rebased onto v5.11. + +v5: +* Split the first commit into two commits: change ucounts.count type to atomic_long_t + and add ucounts to cred. These commits were merged by mistake during the rebase. +* The __get_ucounts() renamed to alloc_ucounts(). +* The cred.ucounts update has been moved from commit_creds() as it did not allow + to handle errors. +* Added error handling of set_cred_ucounts(). + +v4: +* Reverted the type change of ucounts.count to refcount_t. +* Fixed typo in the kernel/cred.c + +v3: +* Added get_ucounts() function to increase the reference count. The existing + get_counts() function renamed to __get_ucounts(). +* The type of ucounts.count changed from atomic_t to refcount_t. +* Dropped 'const' from set_cred_ucounts() arguments. +* Fixed a bug with freeing the cred structure after calling cred_alloc_blank(). +* Commit messages have been updated. +* Added selftest. + +v2: +* RLIMIT_MEMLOCK, RLIMIT_SIGPENDING and RLIMIT_MSGQUEUE are migrated to ucounts. +* Added ucounts for pair uid and user namespace into cred. +* Added the ability to increase ucount by more than 1. + +v1: +* After discussion with Eric W. Biederman, I increased the size of ucounts to + atomic_long_t. +* Added ucount_max to avoid the fork bomb. + +-- + +Alexey Gladkov (7): + Increase size of ucounts to atomic_long_t + Add a reference to ucounts for each cred + Reimplement RLIMIT_NPROC on top of ucounts + Reimplement RLIMIT_MSGQUEUE on top of ucounts + Reimplement RLIMIT_SIGPENDING on top of ucounts + Reimplement RLIMIT_MEMLOCK on top of ucounts + kselftests: Add test to check for rlimit changes in different user + namespaces + + fs/exec.c | 6 +- + fs/hugetlbfs/inode.c | 16 +- + fs/io-wq.c | 22 ++- + fs/io-wq.h | 2 +- + fs/io_uring.c | 2 +- + fs/proc/array.c | 2 +- + include/linux/cred.h | 4 + + include/linux/hugetlb.h | 4 +- + include/linux/mm.h | 4 +- + include/linux/sched/user.h | 7 - + include/linux/shmem_fs.h | 2 +- + include/linux/signal_types.h | 4 +- + include/linux/user_namespace.h | 24 ++- + ipc/mqueue.c | 29 ++-- + ipc/shm.c | 30 ++-- + kernel/cred.c | 50 +++++- + kernel/exit.c | 2 +- + kernel/fork.c | 18 +- + kernel/signal.c | 53 +++--- + kernel/sys.c | 14 +- + kernel/ucount.c | 120 +++++++++++-- + kernel/user.c | 3 - + kernel/user_namespace.c | 9 +- + mm/memfd.c | 5 +- + mm/mlock.c | 35 ++-- + mm/mmap.c | 4 +- + mm/shmem.c | 8 +- + tools/testing/selftests/Makefile | 1 + + tools/testing/selftests/rlimits/.gitignore | 2 + + tools/testing/selftests/rlimits/Makefile | 6 + + tools/testing/selftests/rlimits/config | 1 + + .../selftests/rlimits/rlimits-per-userns.c | 161 ++++++++++++++++++ + 32 files changed, 495 insertions(+), 155 deletions(-) + create mode 100644 tools/testing/selftests/rlimits/.gitignore + create mode 100644 tools/testing/selftests/rlimits/Makefile + create mode 100644 tools/testing/selftests/rlimits/config + create mode 100644 tools/testing/selftests/rlimits/rlimits-per-userns.c + +-- +2.29.2 diff --git a/a/2.1.hdr b/a/2.1.hdr deleted file mode 100644 index a5663a8..0000000 --- a/a/2.1.hdr +++ /dev/null @@ -1,32 +0,0 @@ -Return-Path: <gladkov.alexey@gmail.com> -X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 -Received: from raptor.unsafe.ru (raptor.unsafe.ru [5.9.43.93]) - by smtp3.osuosl.org (Postfix) with ESMTP id 0061B6F491 - for <containers@lists.linux-foundation.org>; Mon, 15 Feb 2021 12:42:43 +0000 (UTC) -Received: from comp-core-i7-2640m-0182e6.redhat.com (ip-94-113-225-162.net.upcbroadband.cz [94.113.225.162]) - (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) - (No client certificate requested) - by raptor.unsafe.ru (Postfix) with ESMTPSA id 255A020460; - Mon, 15 Feb 2021 12:42:23 +0000 (UTC) -From: Alexey Gladkov <gladkov.alexey@gmail.com> -To: LKML <linux-kernel@vger.kernel.org>, - io-uring@vger.kernel.org, - Kernel Hardening <kernel-hardening@lists.openwall.com>, - Linux Containers <containers@lists.linux-foundation.org>, - linux-mm@kvack.org -Cc: Alexey Gladkov <legion@kernel.org>, - Andrew Morton <akpm@linux-foundation.org>, - Christian Brauner <christian.brauner@ubuntu.com>, - "Eric W . Biederman" <ebiederm@xmission.com>, - Jann Horn <jannh@google.com>, - Jens Axboe <axboe@kernel.dk>, - Kees Cook <keescook@chromium.org>, - Linus Torvalds <torvalds@linux-foundation.org>, - Oleg Nesterov <oleg@redhat.com> -Subject: [PATCH v6 0/7] Count rlimits in each user namespace -Date: Mon, 15 Feb 2021 13:41:07 +0100 -Message-Id: <cover.1613392826.git.gladkov.alexey@gmail.com> -X-Mailer: git-send-email 2.29.2 -MIME-Version: 1.0 -Content-Transfer-Encoding: 8bit -X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.1 (raptor.unsafe.ru [5.9.43.93]); Mon, 15 Feb 2021 12:42:40 +0000 (UTC) diff --git a/a/2.1.txt b/a/2.1.txt deleted file mode 100644 index cc8aedd..0000000 --- a/a/2.1.txt +++ /dev/null @@ -1,136 +0,0 @@ -Preface -------- -These patches are for binding the rlimit counters to a user in user namespace. -This patch set can be applied on top of: - -git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.11 - -Problem -------- -The RLIMIT_NPROC, RLIMIT_MEMLOCK, RLIMIT_SIGPENDING, RLIMIT_MSGQUEUE rlimits -implementation places the counters in user_struct [1]. These limits are global -between processes and persists for the lifetime of the process, even if -processes are in different user namespaces. - -To illustrate the impact of rlimits, let's say there is a program that does not -fork. Some service-A wants to run this program as user X in multiple containers. -Since the program never fork the service wants to set RLIMIT_NPROC=1. - -service-A - \- program (uid=1000, container1, rlimit_nproc=1) - \- program (uid=1000, container2, rlimit_nproc=1) - -The service-A sets RLIMIT_NPROC=1 and runs the program in container1. When the -service-A tries to run a program with RLIMIT_NPROC=1 in container2 it fails -since user X already has one running process. - -The problem is not that the limit from container1 affects container2. The -problem is that limit is verified against the global counter that reflects -the number of processes in all containers. - -This problem can be worked around by using different users for each container -but in this case we face a different problem of uid mapping when transferring -files from one container to another. - -Eric W. Biederman mentioned this issue [2][3]. - -Introduced changes ------------------- -To address the problem, we bind rlimit counters to user namespace. Each counter -reflects the number of processes in a given uid in a given user namespace. The -result is a tree of rlimit counters with the biggest value at the root (aka -init_user_ns). The limit is considered exceeded if it's exceeded up in the tree. - -[1] https://lore.kernel.org/containers/87imd2incs.fsf@x220.int.ebiederm.org/ -[2] https://lists.linuxfoundation.org/pipermail/containers/2020-August/042096.html -[3] https://lists.linuxfoundation.org/pipermail/containers/2020-October/042524.html - -Changelog ---------- -v6: -* Fixed issues found by lkp-tests project. -* Rebased onto v5.11. - -v5: -* Split the first commit into two commits: change ucounts.count type to atomic_long_t - and add ucounts to cred. These commits were merged by mistake during the rebase. -* The __get_ucounts() renamed to alloc_ucounts(). -* The cred.ucounts update has been moved from commit_creds() as it did not allow - to handle errors. -* Added error handling of set_cred_ucounts(). - -v4: -* Reverted the type change of ucounts.count to refcount_t. -* Fixed typo in the kernel/cred.c - -v3: -* Added get_ucounts() function to increase the reference count. The existing - get_counts() function renamed to __get_ucounts(). -* The type of ucounts.count changed from atomic_t to refcount_t. -* Dropped 'const' from set_cred_ucounts() arguments. -* Fixed a bug with freeing the cred structure after calling cred_alloc_blank(). -* Commit messages have been updated. -* Added selftest. - -v2: -* RLIMIT_MEMLOCK, RLIMIT_SIGPENDING and RLIMIT_MSGQUEUE are migrated to ucounts. -* Added ucounts for pair uid and user namespace into cred. -* Added the ability to increase ucount by more than 1. - -v1: -* After discussion with Eric W. Biederman, I increased the size of ucounts to - atomic_long_t. -* Added ucount_max to avoid the fork bomb. - --- - -Alexey Gladkov (7): - Increase size of ucounts to atomic_long_t - Add a reference to ucounts for each cred - Reimplement RLIMIT_NPROC on top of ucounts - Reimplement RLIMIT_MSGQUEUE on top of ucounts - Reimplement RLIMIT_SIGPENDING on top of ucounts - Reimplement RLIMIT_MEMLOCK on top of ucounts - kselftests: Add test to check for rlimit changes in different user - namespaces - - fs/exec.c | 6 +- - fs/hugetlbfs/inode.c | 16 +- - fs/io-wq.c | 22 ++- - fs/io-wq.h | 2 +- - fs/io_uring.c | 2 +- - fs/proc/array.c | 2 +- - include/linux/cred.h | 4 + - include/linux/hugetlb.h | 4 +- - include/linux/mm.h | 4 +- - include/linux/sched/user.h | 7 - - include/linux/shmem_fs.h | 2 +- - include/linux/signal_types.h | 4 +- - include/linux/user_namespace.h | 24 ++- - ipc/mqueue.c | 29 ++-- - ipc/shm.c | 30 ++-- - kernel/cred.c | 50 +++++- - kernel/exit.c | 2 +- - kernel/fork.c | 18 +- - kernel/signal.c | 53 +++--- - kernel/sys.c | 14 +- - kernel/ucount.c | 120 +++++++++++-- - kernel/user.c | 3 - - kernel/user_namespace.c | 9 +- - mm/memfd.c | 5 +- - mm/mlock.c | 35 ++-- - mm/mmap.c | 4 +- - mm/shmem.c | 8 +- - tools/testing/selftests/Makefile | 1 + - tools/testing/selftests/rlimits/.gitignore | 2 + - tools/testing/selftests/rlimits/Makefile | 6 + - tools/testing/selftests/rlimits/config | 1 + - .../selftests/rlimits/rlimits-per-userns.c | 161 ++++++++++++++++++ - 32 files changed, 495 insertions(+), 155 deletions(-) - create mode 100644 tools/testing/selftests/rlimits/.gitignore - create mode 100644 tools/testing/selftests/rlimits/Makefile - create mode 100644 tools/testing/selftests/rlimits/config - create mode 100644 tools/testing/selftests/rlimits/rlimits-per-userns.c - --- -2.29.2 diff --git a/a/2.bin b/a/2.bin deleted file mode 100644 index 584640b..0000000 --- a/a/2.bin +++ /dev/null @@ -1,169 +0,0 @@ -Return-Path: <gladkov.alexey@gmail.com> -X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 -Received: from raptor.unsafe.ru (raptor.unsafe.ru [5.9.43.93]) - by smtp3.osuosl.org (Postfix) with ESMTP id 0061B6F491 - for <containers@lists.linux-foundation.org>; Mon, 15 Feb 2021 12:42:43 +0000 (UTC) -Received: from comp-core-i7-2640m-0182e6.redhat.com (ip-94-113-225-162.net.upcbroadband.cz [94.113.225.162]) - (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) - (No client certificate requested) - by raptor.unsafe.ru (Postfix) with ESMTPSA id 255A020460; - Mon, 15 Feb 2021 12:42:23 +0000 (UTC) -From: Alexey Gladkov <gladkov.alexey@gmail.com> -To: LKML <linux-kernel@vger.kernel.org>, - io-uring@vger.kernel.org, - Kernel Hardening <kernel-hardening@lists.openwall.com>, - Linux Containers <containers@lists.linux-foundation.org>, - linux-mm@kvack.org -Cc: Alexey Gladkov <legion@kernel.org>, - Andrew Morton <akpm@linux-foundation.org>, - Christian Brauner <christian.brauner@ubuntu.com>, - "Eric W . Biederman" <ebiederm@xmission.com>, - Jann Horn <jannh@google.com>, - Jens Axboe <axboe@kernel.dk>, - Kees Cook <keescook@chromium.org>, - Linus Torvalds <torvalds@linux-foundation.org>, - Oleg Nesterov <oleg@redhat.com> -Subject: [PATCH v6 0/7] Count rlimits in each user namespace -Date: Mon, 15 Feb 2021 13:41:07 +0100 -Message-Id: <cover.1613392826.git.gladkov.alexey@gmail.com> -X-Mailer: git-send-email 2.29.2 -MIME-Version: 1.0 -Content-Transfer-Encoding: 8bit -X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.1 (raptor.unsafe.ru [5.9.43.93]); Mon, 15 Feb 2021 12:42:40 +0000 (UTC) - -Preface -------- -These patches are for binding the rlimit counters to a user in user namespace. -This patch set can be applied on top of: - -git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.11 - -Problem -------- -The RLIMIT_NPROC, RLIMIT_MEMLOCK, RLIMIT_SIGPENDING, RLIMIT_MSGQUEUE rlimits -implementation places the counters in user_struct [1]. These limits are global -between processes and persists for the lifetime of the process, even if -processes are in different user namespaces. - -To illustrate the impact of rlimits, let's say there is a program that does not -fork. Some service-A wants to run this program as user X in multiple containers. -Since the program never fork the service wants to set RLIMIT_NPROC=1. - -service-A - \- program (uid=1000, container1, rlimit_nproc=1) - \- program (uid=1000, container2, rlimit_nproc=1) - -The service-A sets RLIMIT_NPROC=1 and runs the program in container1. When the -service-A tries to run a program with RLIMIT_NPROC=1 in container2 it fails -since user X already has one running process. - -The problem is not that the limit from container1 affects container2. The -problem is that limit is verified against the global counter that reflects -the number of processes in all containers. - -This problem can be worked around by using different users for each container -but in this case we face a different problem of uid mapping when transferring -files from one container to another. - -Eric W. Biederman mentioned this issue [2][3]. - -Introduced changes ------------------- -To address the problem, we bind rlimit counters to user namespace. Each counter -reflects the number of processes in a given uid in a given user namespace. The -result is a tree of rlimit counters with the biggest value at the root (aka -init_user_ns). The limit is considered exceeded if it's exceeded up in the tree. - -[1] https://lore.kernel.org/containers/87imd2incs.fsf@x220.int.ebiederm.org/ -[2] https://lists.linuxfoundation.org/pipermail/containers/2020-August/042096.html -[3] https://lists.linuxfoundation.org/pipermail/containers/2020-October/042524.html - -Changelog ---------- -v6: -* Fixed issues found by lkp-tests project. -* Rebased onto v5.11. - -v5: -* Split the first commit into two commits: change ucounts.count type to atomic_long_t - and add ucounts to cred. These commits were merged by mistake during the rebase. -* The __get_ucounts() renamed to alloc_ucounts(). -* The cred.ucounts update has been moved from commit_creds() as it did not allow - to handle errors. -* Added error handling of set_cred_ucounts(). - -v4: -* Reverted the type change of ucounts.count to refcount_t. -* Fixed typo in the kernel/cred.c - -v3: -* Added get_ucounts() function to increase the reference count. The existing - get_counts() function renamed to __get_ucounts(). -* The type of ucounts.count changed from atomic_t to refcount_t. -* Dropped 'const' from set_cred_ucounts() arguments. -* Fixed a bug with freeing the cred structure after calling cred_alloc_blank(). -* Commit messages have been updated. -* Added selftest. - -v2: -* RLIMIT_MEMLOCK, RLIMIT_SIGPENDING and RLIMIT_MSGQUEUE are migrated to ucounts. -* Added ucounts for pair uid and user namespace into cred. -* Added the ability to increase ucount by more than 1. - -v1: -* After discussion with Eric W. Biederman, I increased the size of ucounts to - atomic_long_t. -* Added ucount_max to avoid the fork bomb. - --- - -Alexey Gladkov (7): - Increase size of ucounts to atomic_long_t - Add a reference to ucounts for each cred - Reimplement RLIMIT_NPROC on top of ucounts - Reimplement RLIMIT_MSGQUEUE on top of ucounts - Reimplement RLIMIT_SIGPENDING on top of ucounts - Reimplement RLIMIT_MEMLOCK on top of ucounts - kselftests: Add test to check for rlimit changes in different user - namespaces - - fs/exec.c | 6 +- - fs/hugetlbfs/inode.c | 16 +- - fs/io-wq.c | 22 ++- - fs/io-wq.h | 2 +- - fs/io_uring.c | 2 +- - fs/proc/array.c | 2 +- - include/linux/cred.h | 4 + - include/linux/hugetlb.h | 4 +- - include/linux/mm.h | 4 +- - include/linux/sched/user.h | 7 - - include/linux/shmem_fs.h | 2 +- - include/linux/signal_types.h | 4 +- - include/linux/user_namespace.h | 24 ++- - ipc/mqueue.c | 29 ++-- - ipc/shm.c | 30 ++-- - kernel/cred.c | 50 +++++- - kernel/exit.c | 2 +- - kernel/fork.c | 18 +- - kernel/signal.c | 53 +++--- - kernel/sys.c | 14 +- - kernel/ucount.c | 120 +++++++++++-- - kernel/user.c | 3 - - kernel/user_namespace.c | 9 +- - mm/memfd.c | 5 +- - mm/mlock.c | 35 ++-- - mm/mmap.c | 4 +- - mm/shmem.c | 8 +- - tools/testing/selftests/Makefile | 1 + - tools/testing/selftests/rlimits/.gitignore | 2 + - tools/testing/selftests/rlimits/Makefile | 6 + - tools/testing/selftests/rlimits/config | 1 + - .../selftests/rlimits/rlimits-per-userns.c | 161 ++++++++++++++++++ - 32 files changed, 495 insertions(+), 155 deletions(-) - create mode 100644 tools/testing/selftests/rlimits/.gitignore - create mode 100644 tools/testing/selftests/rlimits/Makefile - create mode 100644 tools/testing/selftests/rlimits/config - create mode 100644 tools/testing/selftests/rlimits/rlimits-per-userns.c - --- -2.29.2 diff --git a/a/2.hdr b/a/2.hdr deleted file mode 100644 index 4a9e68a..0000000 --- a/a/2.hdr +++ /dev/null @@ -1,4 +0,0 @@ -Content-Type: message/rfc822; x-spam-type=original -Content-Description: original message before SpamAssassin -Content-Disposition: inline -Content-Transfer-Encoding: 8bit diff --git a/a/3.hdr b/a/3.hdr deleted file mode 100644 index 4b86001..0000000 --- a/a/3.hdr +++ /dev/null @@ -1,4 +0,0 @@ -Content-Type: text/plain; charset="us-ascii" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Content-Disposition: inline diff --git a/a/3.txt b/a/3.txt deleted file mode 100644 index d03e370..0000000 --- a/a/3.txt +++ /dev/null @@ -1,4 +0,0 @@ -_______________________________________________ -Containers mailing list -Containers@lists.linux-foundation.org -https://lists.linuxfoundation.org/mailman/listinfo/containers diff --git a/a/content_digest b/N1/content_digest index c42f712..f435e92 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -6,218 +6,16 @@ Kernel Hardening <kernel-hardening@lists.openwall.com> Linux Containers <containers@lists.linux-foundation.org> " linux-mm@kvack.org\0" - "Cc\0Jens Axboe <axboe@kernel.dk>" - Kees Cook <keescook@chromium.org> + "Cc\0Alexey Gladkov <legion@kernel.org>" + Andrew Morton <akpm@linux-foundation.org> + Christian Brauner <christian.brauner@ubuntu.com> + Eric W . Biederman <ebiederm@xmission.com> Jann Horn <jannh@google.com> + Jens Axboe <axboe@kernel.dk> + Kees Cook <keescook@chromium.org> Linus Torvalds <torvalds@linux-foundation.org> - Oleg Nesterov <oleg@redhat.com> - Eric W . Biederman <ebiederm@xmission.com> - Andrew Morton <akpm@linux-foundation.org> - " Alexey Gladkov <legion@kernel.org>\0" - "\01:1\0" - "b\0" - "Spam detection software, running on the system \"smtp3.osuosl.org\",\n" - "has identified this incoming email as possible spam. The original\n" - "message has been attached to this so you can view it or label\n" - "similar future email. If you have any questions, see\n" - "the administrator of that system for details.\n" - "\n" - "Content preview: Preface ------- These patches are for binding the rlimit counters\n" - " to a user in user namespace. This patch set can be applied on top of: git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git\n" - " v5.11 \n" - "\n" - "Content analysis details: (5.2 points, 5.0 required)\n" - "\n" - " pts rule name description\n" - "---- ---------------------- --------------------------------------------------\n" - " 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%\n" - " [score: 0.4674]\n" - " 1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received'\n" - " headers\n" - " 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)\n" - " 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail\n" - " provider (gladkov.alexey[at]gmail.com)\n" - " 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is\n" - " CUSTOM_MED\n" - " 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n" - " 0.9 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing\n" - " list\n" - " 1.9 SPOOFED_FREEMAIL No description available.\n" - 0.0 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be... - "\01:2\0" - "d\0original message before SpamAssassin\0" - "b\0" - "Return-Path: <gladkov.alexey@gmail.com>\n" - "X-Greylist: from auto-whitelisted by SQLgrey-1.8.0\n" - "Received: from raptor.unsafe.ru (raptor.unsafe.ru [5.9.43.93])\n" - "\tby smtp3.osuosl.org (Postfix) with ESMTP id 0061B6F491\n" - "\tfor <containers@lists.linux-foundation.org>; Mon, 15 Feb 2021 12:42:43 +0000 (UTC)\n" - "Received: from comp-core-i7-2640m-0182e6.redhat.com (ip-94-113-225-162.net.upcbroadband.cz [94.113.225.162])\n" - "\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n" - "\t(No client certificate requested)\n" - "\tby raptor.unsafe.ru (Postfix) with ESMTPSA id 255A020460;\n" - "\tMon, 15 Feb 2021 12:42:23 +0000 (UTC)\n" - "From: Alexey Gladkov <gladkov.alexey@gmail.com>\n" - "To: LKML <linux-kernel@vger.kernel.org>,\n" - "\tio-uring@vger.kernel.org,\n" - "\tKernel Hardening <kernel-hardening@lists.openwall.com>,\n" - "\tLinux Containers <containers@lists.linux-foundation.org>,\n" - "\tlinux-mm@kvack.org\n" - "Cc: Alexey Gladkov <legion@kernel.org>,\n" - "\tAndrew Morton <akpm@linux-foundation.org>,\n" - "\tChristian Brauner <christian.brauner@ubuntu.com>,\n" - "\t\"Eric W . Biederman\" <ebiederm@xmission.com>,\n" - "\tJann Horn <jannh@google.com>,\n" - "\tJens Axboe <axboe@kernel.dk>,\n" - "\tKees Cook <keescook@chromium.org>,\n" - "\tLinus Torvalds <torvalds@linux-foundation.org>,\n" - "\tOleg Nesterov <oleg@redhat.com>\n" - "Subject: [PATCH v6 0/7] Count rlimits in each user namespace\n" - "Date: Mon, 15 Feb 2021 13:41:07 +0100\n" - "Message-Id: <cover.1613392826.git.gladkov.alexey@gmail.com>\n" - "X-Mailer: git-send-email 2.29.2\n" - "MIME-Version: 1.0\n" - "Content-Transfer-Encoding: 8bit\n" - "X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.1 (raptor.unsafe.ru [5.9.43.93]); Mon, 15 Feb 2021 12:42:40 +0000 (UTC)\n" - "\n" - "Preface\n" - "-------\n" - "These patches are for binding the rlimit counters to a user in user namespace.\n" - "This patch set can be applied on top of:\n" - "\n" - "git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.11\n" - "\n" - "Problem\n" - "-------\n" - "The RLIMIT_NPROC, RLIMIT_MEMLOCK, RLIMIT_SIGPENDING, RLIMIT_MSGQUEUE rlimits\n" - "implementation places the counters in user_struct [1]. These limits are global\n" - "between processes and persists for the lifetime of the process, even if\n" - "processes are in different user namespaces.\n" - "\n" - "To illustrate the impact of rlimits, let's say there is a program that does not\n" - "fork. Some service-A wants to run this program as user X in multiple containers.\n" - "Since the program never fork the service wants to set RLIMIT_NPROC=1.\n" - "\n" - "service-A\n" - " \\- program (uid=1000, container1, rlimit_nproc=1)\n" - " \\- program (uid=1000, container2, rlimit_nproc=1)\n" - "\n" - "The service-A sets RLIMIT_NPROC=1 and runs the program in container1. When the\n" - "service-A tries to run a program with RLIMIT_NPROC=1 in container2 it fails\n" - "since user X already has one running process.\n" - "\n" - "The problem is not that the limit from container1 affects container2. The\n" - "problem is that limit is verified against the global counter that reflects\n" - "the number of processes in all containers.\n" - "\n" - "This problem can be worked around by using different users for each container\n" - "but in this case we face a different problem of uid mapping when transferring\n" - "files from one container to another.\n" - "\n" - "Eric W. Biederman mentioned this issue [2][3].\n" - "\n" - "Introduced changes\n" - "------------------\n" - "To address the problem, we bind rlimit counters to user namespace. Each counter\n" - "reflects the number of processes in a given uid in a given user namespace. The\n" - "result is a tree of rlimit counters with the biggest value at the root (aka\n" - "init_user_ns). The limit is considered exceeded if it's exceeded up in the tree.\n" - "\n" - "[1] https://lore.kernel.org/containers/87imd2incs.fsf@x220.int.ebiederm.org/\n" - "[2] https://lists.linuxfoundation.org/pipermail/containers/2020-August/042096.html\n" - "[3] https://lists.linuxfoundation.org/pipermail/containers/2020-October/042524.html\n" - "\n" - "Changelog\n" - "---------\n" - "v6:\n" - "* Fixed issues found by lkp-tests project.\n" - "* Rebased onto v5.11.\n" - "\n" - "v5:\n" - "* Split the first commit into two commits: change ucounts.count type to atomic_long_t\n" - " and add ucounts to cred. These commits were merged by mistake during the rebase.\n" - "* The __get_ucounts() renamed to alloc_ucounts().\n" - "* The cred.ucounts update has been moved from commit_creds() as it did not allow\n" - " to handle errors.\n" - "* Added error handling of set_cred_ucounts().\n" - "\n" - "v4:\n" - "* Reverted the type change of ucounts.count to refcount_t.\n" - "* Fixed typo in the kernel/cred.c\n" - "\n" - "v3:\n" - "* Added get_ucounts() function to increase the reference count. The existing\n" - " get_counts() function renamed to __get_ucounts().\n" - "* The type of ucounts.count changed from atomic_t to refcount_t.\n" - "* Dropped 'const' from set_cred_ucounts() arguments.\n" - "* Fixed a bug with freeing the cred structure after calling cred_alloc_blank().\n" - "* Commit messages have been updated.\n" - "* Added selftest.\n" - "\n" - "v2:\n" - "* RLIMIT_MEMLOCK, RLIMIT_SIGPENDING and RLIMIT_MSGQUEUE are migrated to ucounts.\n" - "* Added ucounts for pair uid and user namespace into cred.\n" - "* Added the ability to increase ucount by more than 1.\n" - "\n" - "v1:\n" - "* After discussion with Eric W. Biederman, I increased the size of ucounts to\n" - " atomic_long_t.\n" - "* Added ucount_max to avoid the fork bomb.\n" - "\n" - "--\n" - "\n" - "Alexey Gladkov (7):\n" - " Increase size of ucounts to atomic_long_t\n" - " Add a reference to ucounts for each cred\n" - " Reimplement RLIMIT_NPROC on top of ucounts\n" - " Reimplement RLIMIT_MSGQUEUE on top of ucounts\n" - " Reimplement RLIMIT_SIGPENDING on top of ucounts\n" - " Reimplement RLIMIT_MEMLOCK on top of ucounts\n" - " kselftests: Add test to check for rlimit changes in different user\n" - " namespaces\n" - "\n" - " fs/exec.c | 6 +-\n" - " fs/hugetlbfs/inode.c | 16 +-\n" - " fs/io-wq.c | 22 ++-\n" - " fs/io-wq.h | 2 +-\n" - " fs/io_uring.c | 2 +-\n" - " fs/proc/array.c | 2 +-\n" - " include/linux/cred.h | 4 +\n" - " include/linux/hugetlb.h | 4 +-\n" - " include/linux/mm.h | 4 +-\n" - " include/linux/sched/user.h | 7 -\n" - " include/linux/shmem_fs.h | 2 +-\n" - " include/linux/signal_types.h | 4 +-\n" - " include/linux/user_namespace.h | 24 ++-\n" - " ipc/mqueue.c | 29 ++--\n" - " ipc/shm.c | 30 ++--\n" - " kernel/cred.c | 50 +++++-\n" - " kernel/exit.c | 2 +-\n" - " kernel/fork.c | 18 +-\n" - " kernel/signal.c | 53 +++---\n" - " kernel/sys.c | 14 +-\n" - " kernel/ucount.c | 120 +++++++++++--\n" - " kernel/user.c | 3 -\n" - " kernel/user_namespace.c | 9 +-\n" - " mm/memfd.c | 5 +-\n" - " mm/mlock.c | 35 ++--\n" - " mm/mmap.c | 4 +-\n" - " mm/shmem.c | 8 +-\n" - " tools/testing/selftests/Makefile | 1 +\n" - " tools/testing/selftests/rlimits/.gitignore | 2 +\n" - " tools/testing/selftests/rlimits/Makefile | 6 +\n" - " tools/testing/selftests/rlimits/config | 1 +\n" - " .../selftests/rlimits/rlimits-per-userns.c | 161 ++++++++++++++++++\n" - " 32 files changed, 495 insertions(+), 155 deletions(-)\n" - " create mode 100644 tools/testing/selftests/rlimits/.gitignore\n" - " create mode 100644 tools/testing/selftests/rlimits/Makefile\n" - " create mode 100644 tools/testing/selftests/rlimits/config\n" - " create mode 100644 tools/testing/selftests/rlimits/rlimits-per-userns.c\n" - "\n" - "-- \n" - "2.29.2\n" - "\n" - "\02:2.1\0" + " Oleg Nesterov <oleg@redhat.com>\0" + "\00:1\0" "b\0" "Preface\n" "-------\n" @@ -355,11 +153,5 @@ "\n" "-- \n" 2.29.2 - "\01:3\0" - "b\0" - "_______________________________________________\n" - "Containers mailing list\n" - "Containers@lists.linux-foundation.org\n" - https://lists.linuxfoundation.org/mailman/listinfo/containers -081ab5f764a0cd76689d75cb4ea27398d23668a8adc1ec9a95b4cec4c7e99e2c +99ee474eee90d0b5d7845b233de12e06988af7514ca7e93bd6cb3bfd9f57c983
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.