Hello Eric,
What do you think about this series? It should be useful to know current
usage for user counters.
Thanks,
Andrei
On Mon, Aug 15, 2016 at 01:10:20PM -0700, Andrei Vagin wrote:
> Recently Eric added user namespace counters. User namespace counters is
> a feature that allows to limit the number of various kernel objects a
> user can create. These limits are set via /proc/sys/user/ sysctls on a
> per user namespace basis and are applicable to all users in that
> namespace.
>
> User namespace counters are not in the upstream tree yet,
> you can find them in Eric's tree:
> https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/log/?h=for-testing
>
> This patch adds /proc/<pid>/userns_counts files to provide current usage
> of user namespace counters.
>
> > cat /proc/813/userns_counts
> user_namespaces 101000 1
> pid_namespaces 101000 1
> ipc_namespaces 101000 4
> net_namespaces 101000 2
> mnt_namespaces 101000 5
> mnt_namespaces 100000 1
>
> The meanings of the columns are as follows, from left to right:
>
> Name Object name
> UID User ID
> Usage Current usage
>
> The full documentation is in the second patch.
>
> v2: - describe this file in Documentation/filesystems/proc.txt
> - move and rename into /proc/<pid>/userns_counts
>
> Cc: Serge Hallyn <[email protected]>
> Cc: Kees Cook <[email protected]>
> Cc: "Eric W. Biederman" <[email protected]>
> Signed-off-by: Andrei Vagin <[email protected]>
>
> Andrei Vagin (1):
> kernel: show current values of user namespace counters
>
> Kirill Kolyshkin (1):
> Documentation: describe /proc/<pid>/userns_counts
>
> Documentation/filesystems/proc.txt | 30 +++++++++++
> fs/proc/array.c | 55 ++++++++++++++++++++
> fs/proc/base.c | 1 +
> fs/proc/internal.h | 1 +
> include/linux/user_namespace.h | 8 +++
> kernel/ucount.c | 102 +++++++++++++++++++++++++++++++++++++
> 6 files changed, 197 insertions(+)
>
> --
> 2.5.5
Andrei Vagin <[email protected]> writes:
> Hello Eric,
>
> What do you think about this series? It should be useful to know current
> usage for user counters.
I am in favor of knowing the values. Unless there is a good reason not
to we should export the values with a read-only sysctl. I believe that
is what other similar limits do.
As for having per process knowledge I think that is probably something
we want to solve for these sysctls as well.
I don't think I saw anyone looking at this code from the perspective of
information leaks. I think we need to ask that question, as similar
interfaces have been problematic from an information leak point of view.
In short I what you are trying to do here is valuable, I just want
to make certain we have a maintainable pattern when we export these.
Eric
>
> Thanks,
> Andrei
>
> On Mon, Aug 15, 2016 at 01:10:20PM -0700, Andrei Vagin wrote:
>> Recently Eric added user namespace counters. User namespace counters is
>> a feature that allows to limit the number of various kernel objects a
>> user can create. These limits are set via /proc/sys/user/ sysctls on a
>> per user namespace basis and are applicable to all users in that
>> namespace.
>>
>> User namespace counters are not in the upstream tree yet,
>> you can find them in Eric's tree:
>> https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/log/?h=for-testing
>>
>> This patch adds /proc/<pid>/userns_counts files to provide current usage
>> of user namespace counters.
>>
>> > cat /proc/813/userns_counts
>> user_namespaces 101000 1
>> pid_namespaces 101000 1
>> ipc_namespaces 101000 4
>> net_namespaces 101000 2
>> mnt_namespaces 101000 5
>> mnt_namespaces 100000 1
>>
>> The meanings of the columns are as follows, from left to right:
>>
>> Name Object name
>> UID User ID
>> Usage Current usage
>>
>> The full documentation is in the second patch.
>>
>> v2: - describe this file in Documentation/filesystems/proc.txt
>> - move and rename into /proc/<pid>/userns_counts
>>
>> Cc: Serge Hallyn <[email protected]>
>> Cc: Kees Cook <[email protected]>
>> Cc: "Eric W. Biederman" <[email protected]>
>> Signed-off-by: Andrei Vagin <[email protected]>
>>
>> Andrei Vagin (1):
>> kernel: show current values of user namespace counters
>>
>> Kirill Kolyshkin (1):
>> Documentation: describe /proc/<pid>/userns_counts
>>
>> Documentation/filesystems/proc.txt | 30 +++++++++++
>> fs/proc/array.c | 55 ++++++++++++++++++++
>> fs/proc/base.c | 1 +
>> fs/proc/internal.h | 1 +
>> include/linux/user_namespace.h | 8 +++
>> kernel/ucount.c | 102 +++++++++++++++++++++++++++++++++++++
>> 6 files changed, 197 insertions(+)
>>
>> --
>> 2.5.5
On Thu, Oct 06, 2016 at 02:33:53PM -0500, Eric W. Biederman wrote:
> Andrei Vagin <[email protected]> writes:
>
> > Hello Eric,
> >
> > What do you think about this series? It should be useful to know current
> > usage for user counters.
>
> I am in favor of knowing the values. Unless there is a good reason not
> to we should export the values with a read-only sysctl. I believe that
> is what other similar limits do.
I want to have a place where I will be able to get limits for all
users. I can't imagine how to do this with a sysctl. It will looks like
multiline sysct-s, what doesn't look good. I will think. If you will
have any ideas let me know. Thanks.
>
> As for having per process knowledge I think that is probably something
> we want to solve for these sysctls as well.
>
> I don't think I saw anyone looking at this code from the perspective of
> information leaks. I think we need to ask that question, as similar
> interfaces have been problematic from an information leak point of view.
It's a good question.
>
> In short I what you are trying to do here is valuable, I just want
> to make certain we have a maintainable pattern when we export these.
>
> Eric
>
> >
> > Thanks,
> > Andrei
> >
> > On Mon, Aug 15, 2016 at 01:10:20PM -0700, Andrei Vagin wrote:
> >> Recently Eric added user namespace counters. User namespace counters is
> >> a feature that allows to limit the number of various kernel objects a
> >> user can create. These limits are set via /proc/sys/user/ sysctls on a
> >> per user namespace basis and are applicable to all users in that
> >> namespace.
> >>
> >> User namespace counters are not in the upstream tree yet,
> >> you can find them in Eric's tree:
> >> https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/log/?h=for-testing
> >>
> >> This patch adds /proc/<pid>/userns_counts files to provide current usage
> >> of user namespace counters.
> >>
> >> > cat /proc/813/userns_counts
> >> user_namespaces 101000 1
> >> pid_namespaces 101000 1
> >> ipc_namespaces 101000 4
> >> net_namespaces 101000 2
> >> mnt_namespaces 101000 5
> >> mnt_namespaces 100000 1
> >>
> >> The meanings of the columns are as follows, from left to right:
> >>
> >> Name Object name
> >> UID User ID
> >> Usage Current usage
> >>
> >> The full documentation is in the second patch.
> >>
> >> v2: - describe this file in Documentation/filesystems/proc.txt
> >> - move and rename into /proc/<pid>/userns_counts
> >>
> >> Cc: Serge Hallyn <[email protected]>
> >> Cc: Kees Cook <[email protected]>
> >> Cc: "Eric W. Biederman" <[email protected]>
> >> Signed-off-by: Andrei Vagin <[email protected]>
> >>
> >> Andrei Vagin (1):
> >> kernel: show current values of user namespace counters
> >>
> >> Kirill Kolyshkin (1):
> >> Documentation: describe /proc/<pid>/userns_counts
> >>
> >> Documentation/filesystems/proc.txt | 30 +++++++++++
> >> fs/proc/array.c | 55 ++++++++++++++++++++
> >> fs/proc/base.c | 1 +
> >> fs/proc/internal.h | 1 +
> >> include/linux/user_namespace.h | 8 +++
> >> kernel/ucount.c | 102 +++++++++++++++++++++++++++++++++++++
> >> 6 files changed, 197 insertions(+)
> >>
> >> --
> >> 2.5.5
Andrei Vagin <[email protected]> writes:
> On Thu, Oct 06, 2016 at 02:33:53PM -0500, Eric W. Biederman wrote:
>> Andrei Vagin <[email protected]> writes:
>>
>> > Hello Eric,
>> >
>> > What do you think about this series? It should be useful to know current
>> > usage for user counters.
>>
>> I am in favor of knowing the values. Unless there is a good reason not
>> to we should export the values with a read-only sysctl. I believe that
>> is what other similar limits do.
>
> I want to have a place where I will be able to get limits for all
> users. I can't imagine how to do this with a sysctl. It will looks like
> multiline sysct-s, what doesn't look good. I will think. If you will
> have any ideas let me know. Thanks.
Something that has been on my wish list for a while has been to modify
/proc/sys/... to also show up under /proc/<pid>/sys/... for the
non-global values. Now it might make sense to show these things in an
alternate filesystem.
At the same time I am a little leary of the desire. Changing these
limits and watching them in a per-process / per-user sense is fine.
However their fundamental purpose is to be set and forget limits and
that only rarely should anyone need to mess with. Which makes the
primary purpose of looking at them debugging and verifying that the
limits are set to reasonable values.
Active management if someone wants to go there is possible but it will
never be the primary purpose of these limits.
>> As for having per process knowledge I think that is probably something
>> we want to solve for these sysctls as well.
>>
>> I don't think I saw anyone looking at this code from the perspective of
>> information leaks. I think we need to ask that question, as similar
>> interfaces have been problematic from an information leak point of view.
>
> It's a good question.
I expect that we don't actually care. The kernel tends to leak a lot of
this kind of information. But I figure we should at least be able to
say we thought about it and we don't care.
Eric