From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Kenton Varda <kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org>
Cc: gnome-os-list-rDKQcyrBJuzYtjvyW6yDsg@public.gmane.org,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
mclasen-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Linux FS Devel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options
Date: Thu, 28 May 2015 16:50:37 -0500 [thread overview]
Message-ID: <87oal4e5hu.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CAOP=4wggpXOC4qLWgNAdw7Ws4vtYR=hscNYzDCfby+-VUxhoQg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Kenton Varda's message of "Thu, 28 May 2015 13:17:30 -0700")
Kenton Varda <kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org> writes:
> On Thu, May 28, 2015 at 1:06 PM, Alexander Larsson <alexl-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
>> On Thu, 2015-05-28 at 12:14 -0500, Eric W. Biederman wrote:
>>>
>>> > Where does the second namespace enter into this?
>>>
>>> Step a. Create create a user namespace where uid 0 is mapped to your
>>> real uid, and set up your sandbox (aka mount /dev/pts and everything
>>> else).
>>>
>>> Step b. Create a nested user namespace where your uid is identity
>>> mapped and run your desktop application. You can even drop all caps
>>> in
>>> your namespace.
>>
>> Just tried this. Its not the nicest, and it doubles the number of
>> namespaces in action for each sandbox, but it does work.
>
> How much overhead is involved in each user namespace?
sizeof(struct user_namespace).
> Is there any system-wide limit on total namespaces, other than RAM?
There is a system-wide maximum depth, but not count.
> Is there
> (non-negligible) CPU overhead for each syscall seeking permissions in
> the namespace?
ns_capable(ns, X) in some cases can walk up the from a starting user
namespace to the initial user. (The only non-constant operation I am
aware of). However unless the user namespace depth is deep it should
still take a negligible amount of time.
Eric
next prev parent reply other threads:[~2015-05-28 21:50 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-21 1:04 [PATCH] devpts: Add ptmx_uid and ptmx_gid options Andy Lutomirski
[not found] ` <b321c0c2729d1c2a72aea319b077dce7afd79698.1424480579.git.luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2015-03-26 19:29 ` Andy Lutomirski
[not found] ` <CALCETrVtGE8LdBCFTe1_cqpLf=SxPNX5iCe5wa-hZ0pe8ps_jA@mail.gmail.com>
[not found] ` <CALCETrVtGE8LdBCFTe1_cqpLf=SxPNX5iCe5wa-hZ0pe8ps_jA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-03-27 9:03 ` James Bottomley
[not found] ` <1427447013.2250.9.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2015-03-31 7:57 ` Alexander Larsson
[not found] ` <1427788642.4411.12.camel@redhat.com>
[not found] ` <1427788642.4411.12.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-03-31 13:06 ` Andy Lutomirski
2015-03-31 13:07 ` James Bottomley
[not found] ` <1427807248.2117.117.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2015-03-31 13:11 ` Alexander Larsson
2015-03-31 13:12 ` Andy Lutomirski
[not found] ` <CALCETrWKA4ZdHfdLuW0_W5xxJOSCJdt_fiRWs6vDk+8ZQ9n9iA@mail.gmail.com>
[not found] ` <CALCETrWKA4ZdHfdLuW0_W5xxJOSCJdt_fiRWs6vDk+8ZQ9n9iA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-03-31 13:23 ` James Bottomley
[not found] ` <1427808184.2117.122.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2015-03-31 13:44 ` Andy Lutomirski
[not found] ` <CALCETrW8v1NFa7fcJbyJKXk9Msudht5BJ7Zy1Rg7ZC_TS-2Y-Q@mail.gmail.com>
[not found] ` <CALCETrW8v1NFa7fcJbyJKXk9Msudht5BJ7Zy1Rg7ZC_TS-2Y-Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-03-31 13:55 ` James Bottomley
[not found] ` <1427810118.2117.126.camel@HansenPartnership.com>
[not found] ` <1427810118.2117.126.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2015-03-31 13:59 ` Andy Lutomirski
[not found] ` <CALCETrU1vKf3fXPt8nS-ABDgfp8NxrFjHwTc68rA0rtvg2Lufg@mail.gmail.com>
[not found] ` <CALCETrU1vKf3fXPt8nS-ABDgfp8NxrFjHwTc68rA0rtvg2Lufg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-03-31 14:08 ` James Bottomley
[not found] ` <1427810886.2117.129.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2015-03-31 14:17 ` Alexander Larsson
[not found] ` <1427811444.4411.20.camel@redhat.com>
[not found] ` <1427811444.4411.20.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-04-02 10:12 ` James Bottomley
[not found] ` <1427969525.3559.120.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2015-04-02 14:06 ` Andy Lutomirski
[not found] ` <CALCETrWyUYgHY53O451AdJUs9Mcjsqmr4fUzoNmYsTP1HLq+VA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-04-02 14:29 ` Alexander Larsson
[not found] ` <1427984969.13651.11.camel@redhat.com>
[not found] ` <1427984969.13651.11.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-04-02 14:33 ` Andy Lutomirski
[not found] ` <CALCETrWYit+WiAM6DFm0enGeJN==uWNC63zXp_zRSsSJg2YGPg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-04-02 15:49 ` Serge Hallyn
2015-04-02 18:27 ` Eric W. Biederman
[not found] ` <87zj6qs7v8.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-27 21:32 ` Andy Lutomirski
[not found] ` <CALCETrVGcCA2SMiDT8JN=AWiSFCXWSaMeKBQmkbKynKfiPJCwA@mail.gmail.com>
[not found] ` <CALCETrVGcCA2SMiDT8JN=AWiSFCXWSaMeKBQmkbKynKfiPJCwA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-28 16:44 ` Eric W. Biederman
[not found] ` <87oal4odne.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-28 17:01 ` Alexander Larsson
[not found] ` <1432832511.21304.6.camel@redhat.com>
[not found] ` <1432832511.21304.6.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-05-28 17:14 ` Eric W. Biederman
[not found] ` <87mw0omxp0.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-28 17:35 ` Alexander Larsson
2015-05-28 20:06 ` Alexander Larsson
[not found] ` <1432843577.9873.1.camel@redhat.com>
[not found] ` <1432843577.9873.1.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-05-28 20:17 ` Kenton Varda
[not found] ` <CAOP=4wggpXOC4qLWgNAdw7Ws4vtYR=hscNYzDCfby+-VUxhoQg@mail.gmail.com>
[not found] ` <CAOP=4wggpXOC4qLWgNAdw7Ws4vtYR=hscNYzDCfby+-VUxhoQg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-28 21:50 ` Eric W. Biederman [this message]
2015-05-28 17:30 ` Andy Lutomirski
[not found] ` <CALCETrUueGomqFG0DSpt5Ern-XW6DE+rAEkd=3Y2ekV+gOwLAA@mail.gmail.com>
[not found] ` <CALCETrUueGomqFG0DSpt5Ern-XW6DE+rAEkd=3Y2ekV+gOwLAA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-28 19:42 ` Eric W. Biederman
[not found] ` <87siagh4kh.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-03-08 4:59 ` Andy Lutomirski
[not found] ` <CALCETrXNyyG-LZ8ds5ALbWs_Tfonev4+Ci=XZwWFqsSeszes8g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-08 9:16 ` Alexander Larsson
[not found] ` <1457428591.27353.55.camel@redhat.com>
[not found] ` <1457428591.27353.55.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-03-08 18:17 ` Andy Lutomirski
2015-05-18 21:04 ` Alexander Larsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87oal4e5hu.fsf@x220.int.ebiederm.org \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=gnome-os-list-rDKQcyrBJuzYtjvyW6yDsg@public.gmane.org \
--cc=kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mclasen-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox