[PATCH 0/10] userns: sysctl limits for namespaces
Eric W. Biederman
ebiederm at xmission.com
Thu Jul 21 14:49:20 UTC 2016
Kees Cook <keescook at chromium.org> writes:
> On Tue, Jul 19, 2016 at 6:13 PM, Eric W. Biederman
> <ebiederm at xmission.com> wrote:
>>
>> This patchset addresses two use cases:
>> - Implement a sane upper bound on the number of namespaces.
>> - Provide a way for sandboxes to limit the attack surface from
>> namespaces.
>>
>> The maximum sane case I can imagine is if every process is a fat
>> process, so I set the maximum number of namespaces to the maximum
>> number of threads.
>>
>> I make these limits recursive and per user namespace so that a
>> usernamespace root can reduce the limits further. If a user namespace
>> root raises the limit the limit in the parent namespace will be honored.
>>
>> I have cut this implementation to the bare minimum needed to achieve
>> these objections.
>>
>> Assuming nothing problematic shows up in the review I will add these to
>> my user namespace tree.
>
> This looks great; thank you! I think the design is effective. One
> thought that pops to mind is how does an admin query the current
> number of active namespaces of a given type? (It's likely this is
> already exposed somewhere and I just don't know where to look...)
The current way would be to look at /proc/<pid>/ns/... and count
unique inodes that show up. Which isn't very awesome but it is what
exists today.
Eric
More information about the Containers
mailing list