Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp1057018pxm; Wed, 23 Feb 2022 17:02:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJwY/qmGoKA4bfVVeVs5lMFftLHA6ckSL9fwoImDsm5nI//Andux/n0VSUFpXaaOpPv2Byad X-Received: by 2002:a65:5307:0:b0:374:315a:bc32 with SMTP id m7-20020a655307000000b00374315abc32mr355280pgq.342.1645664525741; Wed, 23 Feb 2022 17:02:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645664525; cv=none; d=google.com; s=arc-20160816; b=TFMa5b3cChDK8x+s4RSwELhFeJgiGVMY5FmcmL2KN1it7sLf/4/oX22BU8Z0GTdX90 C6sy7hDtT8+5nqZsYrHPw0C8BiHbMUnAgx0SRhifSk3y5QXVRVPI81D3wVAVYvAIa5B/ hR71LzYXB5B/L32gxkJNYRT9PgUvpZ/Ki0OhLeRaERAeZg32gX74lC8OcanjuggZGs24 nuVAOimwQn50BAGgMXX4prT6FEWXCALeMD5bbIJGzAvFnY6vdll/cM5SkPx7jAfS/j0S AaF/l5qr2yu27w7OFBSwchGj57JZFK4KoaQgVdM5aM7jbYFrmwTv+LwB2dfKUKkYPHmD qCAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=2iep3pmwYTl7n1r9c1BTnUlQQ4DhNKuWjHXED2JiiHM=; b=wTM50UV7juwqpUMhh1QxHBbd6F5nl1tsJiBRCrgaGJK85eeEKNN2VuhS6WAEhwr7YV ajcOoi5csrdIrM0cGveMdYRVTN0JUCeXqUIFciVSqhVqlakExuDuffxxPhYxtGr3xwv8 3G4nYSzqDSu2AJ02HTfCxbo87/iJLUnNQJcT7Ok0fVDkZ+EDsz27dxioOXVh8RQ55dN7 sZohWbjyfQ8RJZjQzbuhsEECANFfLf1TNyVRzUJwFgXv8a8A4SZ0bwSidWGXY/6mR65U l6s6pfE353LbHpSrWxDA/Fyrke7Vy6oqAyeXX9N7kAayNMdjlH0F67QEMOvuhmTgD5On x/PA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=I61UvHRN; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id v12-20020a17090a458c00b001b9fbccf90esi3580509pjg.141.2022.02.23.17.02.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 17:02:05 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=I61UvHRN; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1C445139CCA; Wed, 23 Feb 2022 16:52:44 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244193AbiBWTph (ORCPT + 99 others); Wed, 23 Feb 2022 14:45:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43624 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232716AbiBWTpf (ORCPT ); Wed, 23 Feb 2022 14:45:35 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A04324B1F6 for ; Wed, 23 Feb 2022 11:45:06 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 30C466176C for ; Wed, 23 Feb 2022 19:45:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 87F36C340F3 for ; Wed, 23 Feb 2022 19:45:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1645645505; bh=6v6jF0P7IEYuMS19alLwVHQ6Tz2juOAcucIRyeumVWE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=I61UvHRN0Vt744x0tqqIlz3WwBBW0aVP3hyJqajnLIxlXbsgS99B39zeqCsO6yow2 +NcTBsGZUnCp2ejji/LV8GKWEHm6giBflQYP/IOYmrBbQm+PWxc1IyyI3G6NEt3gUh G4EsYcFF3w6kW4Mv4EMLOCfnBydFjFFVfBFNhFbxfio9f0W5fKoZNbsCd7xeSeRaaG l2TEZmsNgernS2AQ3s5m/PdAJjR1bctTiEl/bnRb08j6YYXtzwFUgeYM/2GCJjBNF7 APrfMqJljngF5nK6yvXWmikMfw7h0z/fUyQD1CkbHKgKiR/PcIvDKMt8O/7//lQ7E/ 67xGStzgNE0ng== Received: by mail-ej1-f48.google.com with SMTP id p15so54538634ejc.7 for ; Wed, 23 Feb 2022 11:45:05 -0800 (PST) X-Gm-Message-State: AOAM532GD6e/fQsnNZUX9vPMEChj5IfSwO4BCHNAREewm/RUkruoy2yW b8HLfdZIC389Xd7aQC8wPb901znsT6kEZT5tZB1Fag== X-Received: by 2002:a17:906:646:b0:6ce:a6fb:2854 with SMTP id t6-20020a170906064600b006cea6fb2854mr893331ejb.675.1645645503667; Wed, 23 Feb 2022 11:45:03 -0800 (PST) MIME-Version: 1.0 References: <20220207121800.5079-1-mkoutny@suse.com> <20220215101150.GD21589@blackbody.suse.cz> <87zgmi5rhm.fsf@email.froward.int.ebiederm.org> <87fso91n0v.fsf_-_@email.froward.int.ebiederm.org> In-Reply-To: <87fso91n0v.fsf_-_@email.froward.int.ebiederm.org> From: Andy Lutomirski Date: Wed, 23 Feb 2022 11:44:51 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: How should rlimits, suid exec, and capabilities interact? To: "Eric W. Biederman" Cc: linux-api@vger.kernel.org, Etienne Dechamps , Alexey Gladkov , Kees Cook , Shuah Khan , Christian Brauner , Solar Designer , Ran Xiaokai , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Linux Containers , =?UTF-8?Q?Michal_Koutn=C3=BD?= , security@kernel.org, Neil Brown , NeilBrown , "Serge E. Hallyn" , Jann Horn Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 23, 2022 at 10:00 AM Eric W. Biederman wrote: > > > [CC'd the security list because I really don't know who the right people > are to drag into this discussion] > > While looking at some issues that have cropped up with making it so > that RLIMIT_NPROC cannot be escaped by creating a user namespace I have > stumbled upon a very old issue of how rlimits and suid exec interact > poorly. Once upon a time, these resource limits were effectively the only way to control memory consumption and consumption of historically limited resources like processes. (The scheduler used to have serious issues with too many processes -- this is not so true any more. And without cgroups, too many processes could use too much CPU collectively.) This all worked pretty poorly. Now we have cgroups, fancy memory accounting, etc. So I'm wondering if NPROC is even useful anymore. I don't have a brilliant idea of how to deprecate it, but I think it wouldn't be entirely nuts to take it much less seriously and maybe even eventually get rid of it. I doubt there is much existing userspace that would break if a previously failing fork() started succeeding. --Andy]