• Linus Torvalds's avatar
    Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · 14986a34
    Linus Torvalds authored
    Pull namespace updates from Eric Biederman:
     "This set of changes is a number of smaller things that have been
      overlooked in other development cycles focused on more fundamental
      change. The devpts changes are small things that were a distraction
      until we managed to kill off DEVPTS_MULTPLE_INSTANCES. There is an
      trivial regression fix to autofs for the unprivileged mount changes
      that went in last cycle. A pair of ioctls has been added by Andrey
      Vagin making it is possible to discover the relationships between
      namespaces when referring to them through file descriptors.
    
      The big user visible change is starting to add simple resource limits
      to catch programs that misbehave. With namespaces in general and user
      namespaces in particular allowing users to use more kinds of
      resources, it has become important to have something to limit errant
      programs. Because the purpose of these limits is to catch errant
      programs the code needs to be inexpensive to use as it always on, and
      the default limits need to be high enough that well behaved programs
      on well behaved systems don't encounter them.
    
      To this end, after some review I have implemented per user per user
      namespace limits, and use them to limit the number of namespaces. The
      limits being per user mean that one user can not exhause the limits of
      another user. The limits being per user namespace allow contexts where
      the limit is 0 and security conscious folks can remove from their
      threat anlysis the code used to manage namespaces (as they have
      historically done as it root only). At the same time the limits being
      per user namespace allow other parts of the system to use namespaces.
    
      Namespaces are increasingly being used in application sand boxing
      scenarios so an all or nothing disable for the entire system for the
      security conscious folks makes increasing use of these sandboxes
      impossible.
    
      There is also added a limit on the maximum number of mounts present in
      a single mount namespace. It is nontrivial to guess what a reasonable
      system wide limit on the number of mount structure in the kernel would
      be, especially as it various based on how a system is using
      containers. A limit on the number of mounts in a mount namespace
      however is much easier to understand and set. In most cases in
      practice only about 1000 mounts are used. Given that some autofs
      scenarious have the potential to be 30,000 to 50,000 mounts I have set
      the default limit for the number of mounts at 100,000 which is well
      above every known set of users but low enough that the mount hash
      tables don't degrade unreaonsably.
    
      These limits are a start. I expect this estabilishes a pattern that
      other limits for resources that namespaces use will follow. There has
      been interest in making inotify event limits per user per user
      namespace as well as interest expressed in making details about what
      is going on in the kernel more visible"
    
    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (28 commits)
      autofs:  Fix automounts by using current_real_cred()->uid
      mnt: Add a per mount namespace limit on the number of mounts
      netns: move {inc,dec}_net_namespaces into #ifdef
      nsfs: Simplify __ns_get_path
      tools/testing: add a test to check nsfs ioctl-s
      nsfs: add ioctl to get a parent namespace
      nsfs: add ioctl to get an owning user namespace for ns file descriptor
      kernel: add a helper to get an owning user namespace for a namespace
      devpts: Change the owner of /dev/pts/ptmx to the mounter of /dev/pts
      devpts: Remove sync_filesystems
      devpts: Make devpts_kill_sb safe if fsi is NULL
      devpts: Simplify devpts_mount by using mount_nodev
      devpts: Move the creation of /dev/pts/ptmx into fill_super
      devpts: Move parse_mount_options into fill_super
      userns: When the per user per user namespace limit is reached return ENOSPC
      userns; Document per user per user namespace limits.
      mntns: Add a limit on the number of mount namespaces.
      netns: Add a limit on the number of net namespaces
      cgroupns: Add a limit on the number of cgroup namespaces
      ipcns: Add a  limit on the number of ipc namespaces
      ...
    14986a34
sysctl_net.c 3.01 KB