lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20241122-hinten-sesshaft-5951878d9374@brauner>
Date: Fri, 22 Nov 2024 12:31:17 +0100
From: Christian Brauner <brauner@...nel.org>
To: Tycho Andersen <tycho@...ho.pizza>
Cc: Yun Zhou <yun.zhou@...driver.com>, stgraber@...raber.org, 
	cyphar@...har.com, Alexander Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com>, 
	mcgrof@...nel.org, kees@...nel.org, joel.granados@...nel.org, mhiramat@...nel.org, 
	mathieu.desnoyers@...icios.com, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, 
	linux-trace-kernel@...r.kernel.org
Subject: Re: [PATCH v2] kernel: add pid_max to pid_namespace

On Thu, Nov 21, 2024 at 07:33:54AM -0700, Tycho Andersen wrote:
> On Wed, Nov 20, 2024 at 10:06:27AM +0100, Christian Brauner wrote:
> > On Tue, Nov 05, 2024 at 11:10:24AM +0800, Yun Zhou wrote:
> > > It is necessary to have a different pid_max in different containers.
> > > For example, multiple containers are running on a host, one of which
> > > is Android, and its 32 bit bionic libc only accepts pid <= 65535. So
> > > it requires the global pid_max <= 65535. This will cause configuration
> > > conflicts with other containers and also limit the maximum number of
> > > tasks for the entire system.
> > > 
> > > Signed-off-by: Yun Zhou <yun.zhou@...driver.com>
> > > ---
> > 
> > Fwiw, I've done a patch like this years ago and then Alex revived it in
> > [1] including selftests! There's downsides to consider:
> > 
> > [1]: https://lore.kernel.org/lkml/20240222160915.315255-1-aleksandr.mikhalitsyn@canonical.com
> 
> Thanks, looks like this patch has the same oddity.
> 
> For me it's enough to just walk up the tree when changing pid_max. It
> seems unlikely that applications will create a sub pidns and then lower
> the max in their own pid_max. Famous last words and all that.

I think we should revive Alex series. Not just because it has selftests
but afaict the implementation is a bit more robust.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ