[PATCH 0/10] userns: sysctl limits for namespaces

Kees Cook keescook at chromium.org
Wed Jul 20 04:02:48 UTC 2016 

On Tue, Jul 19, 2016 at 6:13 PM, Eric W. Biederman
<ebiederm at xmission.com> wrote:
>
> This patchset addresses two use cases:
> - Implement a sane upper bound on the number of namespaces.
> - Provide a way for sandboxes to limit the attack surface from
>   namespaces.
>
> The maximum sane case I can imagine is if every process is a fat
> process, so I set the maximum number of namespaces to the maximum
> number of threads.
>
> I make these limits recursive and per user namespace so that a
> usernamespace root can reduce the limits further.  If a user namespace
> root raises the limit the limit in the parent namespace will be honored.
>
> I have cut this implementation to the bare minimum needed to achieve
> these objections.
>
> Assuming nothing problematic shows up in the review I will add these to
> my user namespace tree.

This looks great; thank you! I think the design is effective. One
thought that pops to mind is how does an admin query the current
number of active namespaces of a given type? (It's likely this is
already exposed somewhere and I just don't know where to look...)

-Kees

>
> These patches are also available at:
>     git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-testing
>
> Eric W. Biederman (10):
>       sysctl: Stop implicitly passing current into sysctl_table_root.lookup
>       userns: Add per user namespace sysctls.
>       userns: Add a limit on the number of user namespaces
>       userns: Generalize the user namespace count into ucount
>       pidns: Add a limit on the number of pid namespaces
>       utsns: Add a limit on the number of uts namespaces
>       ipcns: Add a  limit on the number of ipc namespaces
>       cgroupns: Add a limit on the number of cgroup namespaces
>       netns: Add a limit on the number of net namespaces
>       mntns: Add a limit on the number of mount namespaces.
>
>  fs/namespace.c                 |  19 ++++-
>  fs/proc/proc_sysctl.c          |  14 ++--
>  include/linux/sysctl.h         |   3 +-
>  include/linux/user_namespace.h |  40 +++++++++
>  ipc/namespace.c                |  42 +++++++---
>  kernel/cgroup.c                |  15 ++++
>  kernel/fork.c                  |   5 ++
>  kernel/pid_namespace.c         |  22 ++++-
>  kernel/user_namespace.c        | 184 ++++++++++++++++++++++++++++++++++++++---
>  kernel/utsname.c               |  31 +++++--
>  net/core/net_namespace.c       |  15 ++++
>  net/sysctl_net.c               |   4 +-
>  12 files changed, 351 insertions(+), 43 deletions(-)
>
> Eric



-- 
Kees Cook
Chrome OS & Brillo Security

More information about the Containers mailing list