From: Lord Glauber Costa of Sealand <glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH review 3/6] userns: Recommend use of memory control groups.
Date: Mon, 28 Jan 2013 11:50:00 +0400 [thread overview]
Message-ID: <51062DA8.1060804@parallels.com> (raw)
In-Reply-To: <51062AB5.9060203-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
On 01/28/2013 11:37 AM, Lord Glauber Costa of Sealand wrote:
> On 01/26/2013 06:22 AM, Eric W. Biederman wrote:
>>
>> In the help text describing user namespaces recommend use of memory
>> control groups. In many cases memory control groups are the only
>> mechanism there is to limit how much memory a user who can create
>> user namespaces can use.
>>
>> Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
>> ---
>> Documentation/namespaces/resource-control.txt | 10 ++++++++++
>> init/Kconfig | 7 +++++++
>> 2 files changed, 17 insertions(+), 0 deletions(-)
>> create mode 100644 Documentation/namespaces/resource-control.txt
>>
>> diff --git a/Documentation/namespaces/resource-control.txt b/Documentation/namespaces/resource-control.txt
>> new file mode 100644
>> index 0000000..3d8178a
>> --- /dev/null
>> +++ b/Documentation/namespaces/resource-control.txt
>> @@ -0,0 +1,10 @@
>> +There are a lot of kinds of objects in the kernel that don't have
>> +individual limits or that have limits that are ineffective when a set
>> +of processes is allowed to switch user ids. With user namespaces
>> +enabled in a kernel for people who don't trust their users or their
>> +users programs to play nice this problems becomes more acute.
>> +
>> +Therefore it is recommended that memory control groups be enabled in
>> +kernels that enable user namespaces, and it is further recommended
>> +that userspace configure memory control groups to limit how much
>> +memory users they don't trust to play nice can use.
>> diff --git a/init/Kconfig b/init/Kconfig
>> index 7d30240..c8c58bd 100644
>> --- a/init/Kconfig
>> +++ b/init/Kconfig
>> @@ -1035,6 +1035,13 @@ config USER_NS
>> help
>> This allows containers, i.e. vservers, to use user namespaces
>> to provide different user info for different servers.
>> +
>> + When user namespaces are enabled in the kernel it is
>> + recommended that the MEMCG and MEMCG_KMEM options also be
>> + enabled and that user-space use the memory control groups to
>> + limit the amount of memory a memory unprivileged users can
>> + use.
>> +
>> If unsure, say N.
>
> Since this becomes an official recommendation that people will likely
> follow, are we really that much concerned about the types of abuses the
> MEMCG_KMEM will prevent? Those are mostly metadata-based abuses users
> could do in their own local disks without mounting anything extra (and
> things that look like that)
>
> Unless there is a specific concern here, shouldn't we say "... that the
> MEMCG (and possibly MEMCG_KMEM) options..." ?
>
>
I just saw in a later patch of yours that your concern here seems not
limited to backed ram by tmpfs, but with things like the internal
structures for userns , to avoid patterns in the form: 'for (;;)
unshare(...)'
Humm, it does seem sensible. The kernel memory controller aims to
prevent exactly things like that. But they all exist already before
userns: there are destructive patterns like that with sockets, dentries,
processes, and pretty much every other resource in the kernel. So
Although the recommendation per-se makes sense, I am wondering if it is
worth it to mention anything in the user_ns config?
next prev parent reply other threads:[~2013-01-28 7:50 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-26 2:15 [PATCH review 0/6] miscelaneous user namespace patches Eric W. Biederman
[not found] ` <87ehh8it9s.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 2:19 ` [PATCH review 1/6] userns: Avoid recursion in put_user_ns Eric W. Biederman
2013-01-26 20:58 ` Serge E. Hallyn
[not found] ` <877gn0it3t.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-28 14:51 ` Vasily Kulikov
2013-01-28 16:34 ` Eric W. Biederman
2013-01-26 2:21 ` [PATCH review 2/6] userns: Allow any uid or gid mappings that don't overlap Eric W. Biederman
[not found] ` <87zjzwhegj.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 21:08 ` Serge E. Hallyn
2013-01-28 14:28 ` Aristeu Rozanski
2013-01-28 14:41 ` Lord Glauber Costa of Sealand
[not found] ` <51068E23.5040000-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-01-28 15:12 ` Aristeu Rozanski
2013-01-26 2:22 ` [PATCH review 3/6] userns: Recommend use of memory control groups Eric W. Biederman
[not found] ` <87txq4hedl.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 21:13 ` Serge E. Hallyn
[not found] ` <20130126211312.GD11274-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-01-27 6:19 ` Eric W. Biederman
2013-01-28 7:37 ` Lord Glauber Costa of Sealand
[not found] ` <51062AB5.9060203-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-01-28 7:50 ` Lord Glauber Costa of Sealand [this message]
2013-01-28 8:14 ` Eric W. Biederman
[not found] ` <87k3qxu3kp.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-28 8:22 ` Lord Glauber Costa of Sealand
[not found] ` <51063558.1010402-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-01-28 16:19 ` Eric W. Biederman
[not found] ` <87k3qxs2ko.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-28 16:37 ` Lord Glauber Costa of Sealand
2013-01-28 17:18 ` Eric W. Biederman
2013-01-28 8:05 ` Eric W. Biederman
2013-01-26 2:23 ` [PATCH review 4/6] userns: Allow the userns root to mount of devpts Eric W. Biederman
[not found] ` <87obgchecv.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 21:22 ` Serge E. Hallyn
2013-01-26 2:26 ` [PATCH review 5/6] userns: Allow the userns root to mount ramfs Eric W. Biederman
[not found] ` <87ip6khe7w.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-26 21:29 ` Serge E. Hallyn
[not found] ` <20130126212918.GG11274-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-01-27 6:09 ` Eric W. Biederman
[not found] ` <87bocb5f8a.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-27 18:23 ` Serge E. Hallyn
2013-01-27 18:23 ` Serge E. Hallyn
2013-01-26 2:26 ` [PATCH review 6/6] userns: Allow the userns root to mount tmpfs Eric W. Biederman
[not found] ` <87d2wshe6v.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-27 18:23 ` Serge E. Hallyn
2013-01-28 1:28 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51062DA8.1060804@parallels.com \
--to=glommer-bzqdu9zft3wakbo8gow8eq@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).