[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <877fc8tosh.fsf@x220.int.ebiederm.org>
Date: Tue, 26 Jul 2016 10:14:06 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: "Michael Kerrisk \(man-pages\)" <mtk.manpages@...il.com>
Cc: Linux Containers <containers@...ts.linux-foundation.org>,
Andy Lutomirski <luto@...capital.net>,
Jann Horn <jann@...jh.net>, Kees Cook <keescook@...omium.org>,
Nikolay Borisov <kernel@...p.com>,
"Serge E. Hallyn" <serge@...lyn.com>,
Seth Forshee <seth.forshee@...onical.com>,
linux-fsdevel@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-api@...r.kernel.org
Subject: Re: [PATCH v2 00/10] userns: sysctl limits for namespaces
"Michael Kerrisk (man-pages)" <mtk.manpages@...il.com> writes:
> Hello Eric,
>
> On 07/21/2016 06:39 PM, Eric W. Biederman wrote:
>>
>> This patchset addresses two use cases:
>> - Implement a sane upper bound on the number of namespaces.
>> - Provide a way for sandboxes to limit the attack surface from
>> namespaces.
>>
>> The maximum sane case I can imagine is if every process is a fat
>> process, so I set the maximum number of namespaces to the maximum
>> number of threads.
>>
>> I make these limits recursive and per user namespace so that a
>> usernamespace root can reduce the limits further. If a user namespace
>> root raises the limit the limit in the parent namespace will be honored.
>>
>> I have cut this implementation to the bare minimum needed to achieve
>> these objectives.
>>
>> Does anyone know if there is a proper error code to return for resource
>> limit exceeded? I am currently using -EUSERS or -ENFILE but both of
>> those feel a little wrong.
>
> ENFILE certainly seems weird. I suppose my first question is: why two
> different errors?
EUSERS was there in the user namespace case for this condition (well
nesting depth but same principle) so it made sense to start with. But
too many users doesn't really make sense.
ENFILE is actually slightly less insane. It actually is about hitting a
resource limit, and seemed the most generic catchall we had.
> Some alternatives you might want to consider: E2BIG, EOVERFLOW,
> or (maybe) ERANGE.
My problem with those is typically those are about the values in fields,
not about creating too many things. So those really don't feel right.
EACCESS or EPERM might be better but those are very very generic.
I really want ETOOMANY or something like that.
I am actually surprised given how common this pattern is, and the fact that
rlimits have existed forever, that we don't have a resource limit
exceeded error code. I suppose it might be worth looking at Posix to
see if they have any suggestions. Perhaps it may even be time to add an
appropriate error code to the list.
Not the most important thing out of this patch series but something
worth looking at.
Eric
Powered by blists - more mailing lists