From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: [PATCH 0/2 v2] userns: show current values of user namespace counters Date: Thu, 06 Oct 2016 14:33:53 -0500 Message-ID: <87wphlclwe.fsf@x220.int.ebiederm.org> References: <1471291822-539-1-git-send-email-avagin@openvz.org> <20161006175146.GA25935@outlook.office365.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20161006175146.GA25935-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org> (Andrei Vagin's message of "Thu, 6 Oct 2016 10:51:47 -0700") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Andrei Vagin Cc: Serge Hallyn , containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org, Kees Cook , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: containers.vger.kernel.org Andrei Vagin writes: > Hello Eric, > > What do you think about this series? It should be useful to know current > usage for user counters. I am in favor of knowing the values. Unless there is a good reason not to we should export the values with a read-only sysctl. I believe that is what other similar limits do. As for having per process knowledge I think that is probably something we want to solve for these sysctls as well. I don't think I saw anyone looking at this code from the perspective of information leaks. I think we need to ask that question, as similar interfaces have been problematic from an information leak point of view. In short I what you are trying to do here is valuable, I just want to make certain we have a maintainable pattern when we export these. Eric > > Thanks, > Andrei > > On Mon, Aug 15, 2016 at 01:10:20PM -0700, Andrei Vagin wrote: >> Recently Eric added user namespace counters. User namespace counters is >> a feature that allows to limit the number of various kernel objects a >> user can create. These limits are set via /proc/sys/user/ sysctls on a >> per user namespace basis and are applicable to all users in that >> namespace. >> >> User namespace counters are not in the upstream tree yet, >> you can find them in Eric's tree: >> https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/log/?h=for-testing >> >> This patch adds /proc//userns_counts files to provide current usage >> of user namespace counters. >> >> > cat /proc/813/userns_counts >> user_namespaces 101000 1 >> pid_namespaces 101000 1 >> ipc_namespaces 101000 4 >> net_namespaces 101000 2 >> mnt_namespaces 101000 5 >> mnt_namespaces 100000 1 >> >> The meanings of the columns are as follows, from left to right: >> >> Name Object name >> UID User ID >> Usage Current usage >> >> The full documentation is in the second patch. >> >> v2: - describe this file in Documentation/filesystems/proc.txt >> - move and rename into /proc//userns_counts >> >> Cc: Serge Hallyn >> Cc: Kees Cook >> Cc: "Eric W. Biederman" >> Signed-off-by: Andrei Vagin >> >> Andrei Vagin (1): >> kernel: show current values of user namespace counters >> >> Kirill Kolyshkin (1): >> Documentation: describe /proc//userns_counts >> >> Documentation/filesystems/proc.txt | 30 +++++++++++ >> fs/proc/array.c | 55 ++++++++++++++++++++ >> fs/proc/base.c | 1 + >> fs/proc/internal.h | 1 + >> include/linux/user_namespace.h | 8 +++ >> kernel/ucount.c | 102 +++++++++++++++++++++++++++++++++++++ >> 6 files changed, 197 insertions(+) >> >> -- >> 2.5.5