| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130126211312.GD11274@mail.hallyn.com> Date: Sat, 26 Jan 2013 21:13:12 +0000 From: "Serge E. Hallyn" <serge@...lyn.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Linux Containers <containers@...ts.linux-foundation.org>, "Serge E. Hallyn" <serge@...lyn.com>, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH review 3/6] userns: Recommend use of memory control groups. Quoting Eric W. Biederman (ebiederm@...ssion.com): > > In the help text describing user namespaces recommend use of memory > control groups. In many cases memory control groups are the only > mechanism there is to limit how much memory a user who can create > user namespaces can use. > > Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com> Acked-by: Serge Hallyn <serge.hallyn@...onical.com> nit: > --- > Documentation/namespaces/resource-control.txt | 10 ++++++++++ > init/Kconfig | 7 +++++++ > 2 files changed, 17 insertions(+), 0 deletions(-) > create mode 100644 Documentation/namespaces/resource-control.txt > > diff --git a/Documentation/namespaces/resource-control.txt b/Documentation/namespaces/resource-control.txt > new file mode 100644 > index 0000000..3d8178a > --- /dev/null > +++ b/Documentation/namespaces/resource-control.txt > @@ -0,0 +1,10 @@ > +There are a lot of kinds of objects in the kernel that don't have > +individual limits or that have limits that are ineffective when a set > +of processes is allowed to switch user ids. With user namespaces > +enabled in a kernel for people who don't trust their users or their > +users programs to play nice this problems becomes more acute. users' programs > + > +Therefore it is recommended that memory control groups be enabled in > +kernels that enable user namespaces, and it is further recommended > +that userspace configure memory control groups to limit how much > +memory users they don't trust to play nice can use. > diff --git a/init/Kconfig b/init/Kconfig > index 7d30240..c8c58bd 100644 > --- a/init/Kconfig > +++ b/init/Kconfig > @@ -1035,6 +1035,13 @@ config USER_NS > help > This allows containers, i.e. vservers, to use user namespaces > to provide different user info for different servers. > + > + When user namespaces are enabled in the kernel it is > + recommended that the MEMCG and MEMCG_KMEM options also be > + enabled and that user-space use the memory control groups to > + limit the amount of memory a memory unprivileged users can > + use. > + > If unsure, say N. > > config PID_NS > -- > 1.7.5.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists