lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <94b608ae-1d06-5c41-cbd5-94e663a2163a@gmail.com> Date: Tue, 26 Jul 2016 12:27:59 +0200 From: "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com> To: "Eric W. Biederman" <ebiederm@...ssion.com>, Linux Containers <containers@...ts.linux-foundation.org> Cc: mtk.manpages@...il.com, Andy Lutomirski <luto@...capital.net>, Jann Horn <jann@...jh.net>, Kees Cook <keescook@...omium.org>, Nikolay Borisov <kernel@...p.com>, "Serge E. Hallyn" <serge@...lyn.com>, Seth Forshee <seth.forshee@...onical.com>, linux-fsdevel@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, linux-api@...r.kernel.org Subject: Re: [PATCH v2 00/10] userns: sysctl limits for namespaces Hello Eric, On 07/21/2016 06:39 PM, Eric W. Biederman wrote: > > This patchset addresses two use cases: > - Implement a sane upper bound on the number of namespaces. > - Provide a way for sandboxes to limit the attack surface from > namespaces. > > The maximum sane case I can imagine is if every process is a fat > process, so I set the maximum number of namespaces to the maximum > number of threads. > > I make these limits recursive and per user namespace so that a > usernamespace root can reduce the limits further. If a user namespace > root raises the limit the limit in the parent namespace will be honored. > > I have cut this implementation to the bare minimum needed to achieve > these objectives. > > Does anyone know if there is a proper error code to return for resource > limit exceeded? I am currently using -EUSERS or -ENFILE but both of > those feel a little wrong. ENFILE certainly seems weird. I suppose my first question is: why two different errors? Some alternatives you might want to consider: E2BIG, EOVERFLOW, or (maybe) ERANGE. Cheers, Michael
Powered by blists - more mailing lists