| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAL1p7m6C9v6z7-e4r+ro7EMvjy2yyOeLKU0UyMcVBHE9Ss1tMg@mail.gmail.com> Date: Sat, 19 Apr 2025 11:00:09 -0400 From: Joel Savitz <jsavitz@...hat.com> To: Randy Dunlap <rdunlap@...radead.org> Cc: linux-kernel@...r.kernel.org, Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org Subject: Re: [PATCH] docs: namespace: Tweak and reword resource control doc On Fri, Apr 18, 2025 at 3:38 PM Randy Dunlap <rdunlap@...radead.org> wrote: > > > > On 4/18/25 8:29 AM, Joel Savitz wrote: > > Fix the document title and reword the phrasing to active voice. > > > > Signed-off-by: Joel Savitz <jsavitz@...hat.com> > > --- > > .../namespaces/resource-control.rst | 24 +++++++++---------- > > 1 file changed, 12 insertions(+), 12 deletions(-) > > > > diff --git a/Documentation/admin-guide/namespaces/resource-control.rst b/Documentation/admin-guide/namespaces/resource-control.rst > > index 369556e00f0c..624f4dceea46 100644 > > --- a/Documentation/admin-guide/namespaces/resource-control.rst > > +++ b/Documentation/admin-guide/namespaces/resource-control.rst > > @@ -1,17 +1,17 @@ > > -=========================== > > -Namespaces research control > > -=========================== > > +==================================== > > +User namespaces and resoruce control > > resource Oh, oops! > > > > +==================================== > > > > -There are a lot of kinds of objects in the kernel that don't have > > -individual limits or that have limits that are ineffective when a set > > -of processes is allowed to switch user ids. With user namespaces > > -enabled in a kernel for people who don't trust their users or their > > -users programs to play nice this problems becomes more acute. > > +The kernel contains many kinds of objects that either don't have > > +individual limits or that have limits which are ineffective when > > +a set of processes is allowed to switch their UID. On a system > > +where there admins don't trust their users or their users' programs, > > +user namespaces expose the system to potential misuse of resources. > > > > -Therefore it is recommended that memory control groups be enabled in > > -kernels that enable user namespaces, and it is further recommended > > -that userspace configure memory control groups to limit how much > > -memory user's they don't trust to play nice can use. > > +In order to mitigate this, we recommend that admins enable memory > > +control groups on any system that enables user namespaces. > > +Furthermore, we recommend that admins configure the memory control > > +groups to limit the maximum memory usable by any untrusted user. > > > > Memory control groups can be configured by installing the libcgroup > > package present on most distros editing /etc/cgrules.conf, > > -- > ~Randy >
Powered by blists - more mailing lists