| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Apr 2012 03:22:10 +0000
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Doug Ledford <dledford@...hat.com>
Cc: linux-kernel@...r.kernel.org, akpm@...ux-foundation.org,
kosaki.motohiro@...il.com,
KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
Amerigo Wang <amwang@...hat.com>,
"Serge E. Hallyn" <serue@...ibm.com>, Jiri Slaby <jslaby@...e.cz>
Subject: Re: [Patch 5/8] mqueue: revert bump up DFLT_*MAX
Quoting Doug Ledford (dledford@...hat.com):
> From: KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>
>
> Mqueue limitation is slightly naieve parameter likes other ipcs
> because unprivileged user can consume kernel memory by using ipcs.
>
> Thus, too aggressive raise bring us security issue. Example,
> current setting allow evil unprivileged user use 256GB (= 256
> * 1024 * 1024*1024) and it's enough large to system will belome
> unresponsive. Don't do that.
>
> Instead, every admin should adjust the knobs for their own systems.
Would you be terribly averse to having a higher limit in init_ipc_ns,
and the lower values by default in all child namespaces?
Sorry it sounds from the intro like you've already had quite a bit of
discussion on this...
Of course I realize the values can just be raised by distro boot
scripts...
> Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>
> Acked-by: Doug Ledford <dledford@...hat.com>
> Acked-by: Joe Korty <joe.korty@...r.com>
> Cc: Amerigo Wang <amwang@...hat.com>
> Cc: Serge E. Hallyn <serue@...ibm.com>
Acked-by: Serge E. Hallyn <serge.hallyn@...onical.com>
> Cc: Jiri Slaby <jslaby@...e.cz>
> ---
> include/linux/ipc_namespace.h | 6 +++---
> 1 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
> index 6e1dd08..2488535 100644
> --- a/include/linux/ipc_namespace.h
> +++ b/include/linux/ipc_namespace.h
> @@ -118,12 +118,12 @@ extern int mq_init_ns(struct ipc_namespace *ns);
> #define DFLT_QUEUESMAX 256
> #define HARD_QUEUESMAX 1024
> #define MIN_MSGMAX 1
> -#define DFLT_MSG 64U
> -#define DFLT_MSGMAX 1024
> +#define DFLT_MSG 10U
> +#define DFLT_MSGMAX 10
> #define HARD_MSGMAX 65536
> #define MIN_MSGSIZEMAX 128
> #define DFLT_MSGSIZE 8192U
> -#define DFLT_MSGSIZEMAX (1024*1024)
> +#define DFLT_MSGSIZEMAX 8192
> #define HARD_MSGSIZEMAX (16*1024*1024)
> #else
> static inline int mq_init_ns(struct ipc_namespace *ns) { return 0; }
> --
> 1.7.7.6
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists