lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Apr 2012 03:22:10 +0000 From: "Serge E. Hallyn" <serge@...lyn.com> To: Doug Ledford <dledford@...hat.com> Cc: linux-kernel@...r.kernel.org, akpm@...ux-foundation.org, kosaki.motohiro@...il.com, KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>, Amerigo Wang <amwang@...hat.com>, "Serge E. Hallyn" <serue@...ibm.com>, Jiri Slaby <jslaby@...e.cz> Subject: Re: [Patch 5/8] mqueue: revert bump up DFLT_*MAX Quoting Doug Ledford (dledford@...hat.com): > From: KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com> > > Mqueue limitation is slightly naieve parameter likes other ipcs > because unprivileged user can consume kernel memory by using ipcs. > > Thus, too aggressive raise bring us security issue. Example, > current setting allow evil unprivileged user use 256GB (= 256 > * 1024 * 1024*1024) and it's enough large to system will belome > unresponsive. Don't do that. > > Instead, every admin should adjust the knobs for their own systems. Would you be terribly averse to having a higher limit in init_ipc_ns, and the lower values by default in all child namespaces? Sorry it sounds from the intro like you've already had quite a bit of discussion on this... Of course I realize the values can just be raised by distro boot scripts... > Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com> > Acked-by: Doug Ledford <dledford@...hat.com> > Acked-by: Joe Korty <joe.korty@...r.com> > Cc: Amerigo Wang <amwang@...hat.com> > Cc: Serge E. Hallyn <serue@...ibm.com> Acked-by: Serge E. Hallyn <serge.hallyn@...onical.com> > Cc: Jiri Slaby <jslaby@...e.cz> > --- > include/linux/ipc_namespace.h | 6 +++--- > 1 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h > index 6e1dd08..2488535 100644 > --- a/include/linux/ipc_namespace.h > +++ b/include/linux/ipc_namespace.h > @@ -118,12 +118,12 @@ extern int mq_init_ns(struct ipc_namespace *ns); > #define DFLT_QUEUESMAX 256 > #define HARD_QUEUESMAX 1024 > #define MIN_MSGMAX 1 > -#define DFLT_MSG 64U > -#define DFLT_MSGMAX 1024 > +#define DFLT_MSG 10U > +#define DFLT_MSGMAX 10 > #define HARD_MSGMAX 65536 > #define MIN_MSGSIZEMAX 128 > #define DFLT_MSGSIZE 8192U > -#define DFLT_MSGSIZEMAX (1024*1024) > +#define DFLT_MSGSIZEMAX 8192 > #define HARD_MSGSIZEMAX (16*1024*1024) > #else > static inline int mq_init_ns(struct ipc_namespace *ns) { return 0; } > -- > 1.7.7.6 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists