Re: [RFC PATCH 0/4 v3] Inotify limits per usernamespace

[ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)]

Nikolay Borisov <kernel-6AxghH7DbtA@public.gmane.org> writes:

> Hello Eric, 
>
> Another day, another version...
>
> So this is version 3 of the patches initially posted at [1]. 
> Version 2 can be fount at [2]
>
> So I reworked the way the state for namespaces are created and
> the code is indeed a lot cleaner and easier to understand. I've 
> also moved from using uid and instead always work with kuids. 
> Finally I reworked the hashtable to be a global one and indexed by 
> the kuid value. With this I believe I have adressed all your points 
> in your previous review. 
>
> I still haven't tackled the issue with the semantics of the sysctls. 
> But judging from your last reply about being content with just setting
> the limit at the top-level I believe the way to fix this would be 
> make a custom proc handler that writes to the variable in the 
> current userns. Opinions?

So first let me say thank you for this.  It was a very good starting
point for my thinking on other sysctls.

I have been proceeding on another track I will post in just a minute
that addresses some different sysctls.  Those I know how to pick a
reasonable sanity check limit on a per user system wide basis and not a
per user basis so I don't have any per user limits.   Otherwise it is
pretty much the same case as here.

Please take a look at those patches on how to address creating per user
namespace sysctls.

After those patches settle I will be willing to look at these more.

Eric



> [1] http://thread.gmane.org/gmane.linux.kernel/2232000
> [2] https://lists.linuxfoundation.org/pipermail/containers/2016-June/037019.html
>
> Nikolay Borisov (4):
>   hashtable: Add __HASHTABLE_INITIALIZER
>   misc: Rename the HASH_SIZE macro
>   userns/inotify: Initial implementation of inotify per-userns
>   inotify: Convert to using new userns infrastructure
>
>  fs/logfs/dir.c                           |   6 +-
>  fs/notify/inotify/inotify.h              |   2 +
>  fs/notify/inotify/inotify_fsnotify.c     |  14 +++-
>  fs/notify/inotify/inotify_user.c         | 136 +++++++++++++++++++++++++++----
>  include/linux/fsnotify_backend.h         |   4 +-
>  include/linux/hashtable.h                |   3 +
>  include/linux/sched.h                    |   4 -
>  include/linux/user_namespace.h           |  45 ++++++++++
>  kernel/user_namespace.c                  | 106 +++++++++++++++++++++++-
>  net/ipv6/ip6_gre.c                       |   8 +-
>  net/ipv6/ip6_tunnel.c                    |  10 +--
>  net/ipv6/ip6_vti.c                       |  10 +--
>  net/ipv6/sit.c                           |  10 +--
>  security/keys/encrypted-keys/encrypted.c |  32 ++++----
>  14 files changed, 327 insertions(+), 63 deletions(-)