From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options Date: Thu, 28 May 2015 16:50:37 -0500 Message-ID: <87oal4e5hu.fsf@x220.int.ebiederm.org> References: <1427788642.4411.12.camel@redhat.com> <1427807248.2117.117.camel@HansenPartnership.com> <1427808184.2117.122.camel@HansenPartnership.com> <1427810118.2117.126.camel@HansenPartnership.com> <1427810886.2117.129.camel@HansenPartnership.com> <1427811444.4411.20.camel@redhat.com> <1427969525.3559.120.camel@HansenPartnership.com> <1427984969.13651.11.camel@redhat.com> <87zj6qs7v8.fsf@x220.int.ebiederm.org> <87oal4odne.fsf@x220.int.ebiederm.org> <1432832511.21304.6.camel@redhat.com> <87mw0omxp0.fsf@x220.int.ebiederm.org> <1432843577.9873.1.camel@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: (Kenton Varda's message of "Thu, 28 May 2015 13:17:30 -0700") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Kenton Varda Cc: gnome-os-list-rDKQcyrBJuzYtjvyW6yDsg@public.gmane.org, Linux Containers , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Andy Lutomirski , mclasen-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Linux FS Devel List-Id: containers.vger.kernel.org Kenton Varda writes: > On Thu, May 28, 2015 at 1:06 PM, Alexander Larsson wrote: >> On Thu, 2015-05-28 at 12:14 -0500, Eric W. Biederman wrote: >>> >>> > Where does the second namespace enter into this? >>> >>> Step a. Create create a user namespace where uid 0 is mapped to your >>> real uid, and set up your sandbox (aka mount /dev/pts and everything >>> else). >>> >>> Step b. Create a nested user namespace where your uid is identity >>> mapped and run your desktop application. You can even drop all caps >>> in >>> your namespace. >> >> Just tried this. Its not the nicest, and it doubles the number of >> namespaces in action for each sandbox, but it does work. > > How much overhead is involved in each user namespace? sizeof(struct user_namespace). > Is there any system-wide limit on total namespaces, other than RAM? There is a system-wide maximum depth, but not count. > Is there > (non-negligible) CPU overhead for each syscall seeking permissions in > the namespace? ns_capable(ns, X) in some cases can walk up the from a starting user namespace to the initial user. (The only non-constant operation I am aware of). However unless the user namespace depth is deep it should still take a negligible amount of time. Eric