Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753267AbcKBOpO (ORCPT ); Wed, 2 Nov 2016 10:45:14 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:33357 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750765AbcKBOpN (ORCPT ); Wed, 2 Nov 2016 10:45:13 -0400 MIME-Version: 1.0 In-Reply-To: <20161027004524.GA4184@node> References: <20161026191810.12275-1-dh.herrmann@gmail.com> <20161027004524.GA4184@node> From: David Herrmann Date: Wed, 2 Nov 2016 15:45:10 +0100 Message-ID: Subject: Re: [RFC v1 00/14] Bus1 Kernel Message Bus To: "Kirill A. Shutemov" Cc: Linus Torvalds , Linux Kernel Mailing List , Andy Lutomirski , Jiri Kosina , Greg KH , Hannes Reinecke , Steven Rostedt , Arnd Bergmann , Tom Gundersen , Josh Triplett , Andrew Morton Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 935 Lines: 27 Hi On Thu, Oct 27, 2016 at 2:45 AM, Kirill A. Shutemov wrote: > On Wed, Oct 26, 2016 at 10:34:30PM +0200, David Herrmann wrote: >> Long story short: We have uid<->uid quotas so far, which prevent DoS >> attacks, unless you get access to a ridiculous amount of local UIDs. >> Details on which resources are accounted can be found in the wiki [1]. > > Does only root user_ns uid count as separate or per-ns too? > > In first case we will have vitually unbounded access to UIDs. > > The second case can cap number of user namespaces a user can create while > using bus1 inside. > > Or am I missing something? We use the exact same mechanism as "struct user_struct" (as defined in linux/sched.h). One instance corresponds to each kuid_t currently in use. This is analogous to task, epoll, inotify, fanotify, mqueue, pipes, keys, ... resource accounting. Could you elaborate on what problem you see? Thanks David