| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAAKZwupGmw_+EaApZFAqVcXWBF885Gsjx6tUWUdMuebXrt_Mg@mail.gmail.com> Date: Fri, 12 Aug 2011 14:11:18 -0700 From: Tim Hockin <thockin@...kin.org> To: Andrew Morton <akpm@...ux-foundation.org> Cc: Frederic Weisbecker <fweisbec@...il.com>, LKML <linux-kernel@...r.kernel.org>, Paul Menage <menage@...gle.com>, Li Zefan <lizf@...fujitsu.com>, Johannes Weiner <hannes@...xchg.org>, Aditya Kali <adityakali@...gle.com>, Oleg Nesterov <oleg@...hat.com> Subject: Re: [PATCH 0/8 v3] cgroups: Task counter subsystem (was: New max number of tasks subsystem) On Mon, Aug 1, 2011 at 4:19 PM, Andrew Morton <akpm@...ux-foundation.org> wrote: > On Fri, 29 Jul 2011 18:13:22 +0200 > Frederic Weisbecker <fweisbec@...il.com> wrote: > >> Reminder: >> >> This patchset is aimed at reducing the impact of a forkbomb to a >> cgroup boundaries, thus minimizing the consequences of such an attack >> against the rest of the system. >> >> This can be useful when cgroups are used to stage some processes or run >> untrustees. > > Really? How useful? Why is it useful enough to justify adding code > such as this to the kernel? > > Is forkbomb-prevention the only use? Others have proposed different > ways of preventing forkbombs which were independent of cgroups - is > this way better and if so, why? I certainly want this for exactly the proposed use - putting a bounds on threads/tasks per container. It's rlimits but more useful. IMHO, most every limit that can be set at a system level should be settable at a cgroup level. This is just one more isolation leak. >> block/blk-cgroup.c | 10 ++- >> include/linux/cgroup.h | 15 +++- >> include/linux/cgroup_subsys.h | 8 ++ >> include/linux/res_counter.h | 12 +++ >> init/Kconfig | 7 ++ >> kernel/Makefile | 1 + >> kernel/cgroup.c | 25 ++++-- >> kernel/cgroup_freezer.c | 3 +- >> kernel/cgroup_task_counter.c | 176 +++++++++++++++++++++++++++++++++++++++++ >> kernel/cpuset.c | 6 +- >> kernel/events/core.c | 5 +- >> kernel/fork.c | 4 + >> kernel/res_counter.c | 81 ++++++++++++++++--- >> kernel/sched.c | 6 +- > > The patch forgot to document the feature: how it works, what it's > useful for, what behaviour users can expect to see, when they should > consider using it, what the userspace control interface is and how to > configure it, etc. Documentation/cgroups/ is the place for that. +1 - I am not very familiar with the cgroups code, so I am disinclined to learn it all just to evaluate the functionality and API of this patch. Design doc, please? Tim -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists