mirror of
https://github.com/torvalds/linux.git
synced 2024-11-27 14:41:39 +00:00
14986a34e1
Pull namespace updates from Eric Biederman: "This set of changes is a number of smaller things that have been overlooked in other development cycles focused on more fundamental change. The devpts changes are small things that were a distraction until we managed to kill off DEVPTS_MULTPLE_INSTANCES. There is an trivial regression fix to autofs for the unprivileged mount changes that went in last cycle. A pair of ioctls has been added by Andrey Vagin making it is possible to discover the relationships between namespaces when referring to them through file descriptors. The big user visible change is starting to add simple resource limits to catch programs that misbehave. With namespaces in general and user namespaces in particular allowing users to use more kinds of resources, it has become important to have something to limit errant programs. Because the purpose of these limits is to catch errant programs the code needs to be inexpensive to use as it always on, and the default limits need to be high enough that well behaved programs on well behaved systems don't encounter them. To this end, after some review I have implemented per user per user namespace limits, and use them to limit the number of namespaces. The limits being per user mean that one user can not exhause the limits of another user. The limits being per user namespace allow contexts where the limit is 0 and security conscious folks can remove from their threat anlysis the code used to manage namespaces (as they have historically done as it root only). At the same time the limits being per user namespace allow other parts of the system to use namespaces. Namespaces are increasingly being used in application sand boxing scenarios so an all or nothing disable for the entire system for the security conscious folks makes increasing use of these sandboxes impossible. There is also added a limit on the maximum number of mounts present in a single mount namespace. It is nontrivial to guess what a reasonable system wide limit on the number of mount structure in the kernel would be, especially as it various based on how a system is using containers. A limit on the number of mounts in a mount namespace however is much easier to understand and set. In most cases in practice only about 1000 mounts are used. Given that some autofs scenarious have the potential to be 30,000 to 50,000 mounts I have set the default limit for the number of mounts at 100,000 which is well above every known set of users but low enough that the mount hash tables don't degrade unreaonsably. These limits are a start. I expect this estabilishes a pattern that other limits for resources that namespaces use will follow. There has been interest in making inotify event limits per user per user namespace as well as interest expressed in making details about what is going on in the kernel more visible" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (28 commits) autofs: Fix automounts by using current_real_cred()->uid mnt: Add a per mount namespace limit on the number of mounts netns: move {inc,dec}_net_namespaces into #ifdef nsfs: Simplify __ns_get_path tools/testing: add a test to check nsfs ioctl-s nsfs: add ioctl to get a parent namespace nsfs: add ioctl to get an owning user namespace for ns file descriptor kernel: add a helper to get an owning user namespace for a namespace devpts: Change the owner of /dev/pts/ptmx to the mounter of /dev/pts devpts: Remove sync_filesystems devpts: Make devpts_kill_sb safe if fsi is NULL devpts: Simplify devpts_mount by using mount_nodev devpts: Move the creation of /dev/pts/ptmx into fill_super devpts: Move parse_mount_options into fill_super userns: When the per user per user namespace limit is reached return ENOSPC userns; Document per user per user namespace limits. mntns: Add a limit on the number of mount namespaces. netns: Add a limit on the number of net namespaces cgroupns: Add a limit on the number of cgroup namespaces ipcns: Add a limit on the number of ipc namespaces ...
130 lines
3.0 KiB
C
130 lines
3.0 KiB
C
/* -*- linux-c -*-
|
|
* sysctl_net.c: sysctl interface to net subsystem.
|
|
*
|
|
* Begun April 1, 1996, Mike Shaver.
|
|
* Added /proc/sys/net directories for each protocol family. [MS]
|
|
*
|
|
* Revision 1.2 1996/05/08 20:24:40 shaver
|
|
* Added bits for NET_BRIDGE and the NET_IPV4_ARP stuff and
|
|
* NET_IPV4_IP_FORWARD.
|
|
*
|
|
*
|
|
*/
|
|
|
|
#include <linux/mm.h>
|
|
#include <linux/export.h>
|
|
#include <linux/sysctl.h>
|
|
#include <linux/nsproxy.h>
|
|
|
|
#include <net/sock.h>
|
|
|
|
#ifdef CONFIG_INET
|
|
#include <net/ip.h>
|
|
#endif
|
|
|
|
#ifdef CONFIG_NET
|
|
#include <linux/if_ether.h>
|
|
#endif
|
|
|
|
static struct ctl_table_set *
|
|
net_ctl_header_lookup(struct ctl_table_root *root)
|
|
{
|
|
return ¤t->nsproxy->net_ns->sysctls;
|
|
}
|
|
|
|
static int is_seen(struct ctl_table_set *set)
|
|
{
|
|
return ¤t->nsproxy->net_ns->sysctls == set;
|
|
}
|
|
|
|
/* Return standard mode bits for table entry. */
|
|
static int net_ctl_permissions(struct ctl_table_header *head,
|
|
struct ctl_table *table)
|
|
{
|
|
struct net *net = container_of(head->set, struct net, sysctls);
|
|
|
|
/* Allow network administrator to have same access as root. */
|
|
if (ns_capable_noaudit(net->user_ns, CAP_NET_ADMIN)) {
|
|
int mode = (table->mode >> 6) & 7;
|
|
return (mode << 6) | (mode << 3) | mode;
|
|
}
|
|
|
|
return table->mode;
|
|
}
|
|
|
|
static void net_ctl_set_ownership(struct ctl_table_header *head,
|
|
struct ctl_table *table,
|
|
kuid_t *uid, kgid_t *gid)
|
|
{
|
|
struct net *net = container_of(head->set, struct net, sysctls);
|
|
kuid_t ns_root_uid;
|
|
kgid_t ns_root_gid;
|
|
|
|
ns_root_uid = make_kuid(net->user_ns, 0);
|
|
if (uid_valid(ns_root_uid))
|
|
*uid = ns_root_uid;
|
|
|
|
ns_root_gid = make_kgid(net->user_ns, 0);
|
|
if (gid_valid(ns_root_gid))
|
|
*gid = ns_root_gid;
|
|
}
|
|
|
|
static struct ctl_table_root net_sysctl_root = {
|
|
.lookup = net_ctl_header_lookup,
|
|
.permissions = net_ctl_permissions,
|
|
.set_ownership = net_ctl_set_ownership,
|
|
};
|
|
|
|
static int __net_init sysctl_net_init(struct net *net)
|
|
{
|
|
setup_sysctl_set(&net->sysctls, &net_sysctl_root, is_seen);
|
|
return 0;
|
|
}
|
|
|
|
static void __net_exit sysctl_net_exit(struct net *net)
|
|
{
|
|
retire_sysctl_set(&net->sysctls);
|
|
}
|
|
|
|
static struct pernet_operations sysctl_pernet_ops = {
|
|
.init = sysctl_net_init,
|
|
.exit = sysctl_net_exit,
|
|
};
|
|
|
|
static struct ctl_table_header *net_header;
|
|
__init int net_sysctl_init(void)
|
|
{
|
|
static struct ctl_table empty[1];
|
|
int ret = -ENOMEM;
|
|
/* Avoid limitations in the sysctl implementation by
|
|
* registering "/proc/sys/net" as an empty directory not in a
|
|
* network namespace.
|
|
*/
|
|
net_header = register_sysctl("net", empty);
|
|
if (!net_header)
|
|
goto out;
|
|
ret = register_pernet_subsys(&sysctl_pernet_ops);
|
|
if (ret)
|
|
goto out1;
|
|
register_sysctl_root(&net_sysctl_root);
|
|
out:
|
|
return ret;
|
|
out1:
|
|
unregister_sysctl_table(net_header);
|
|
net_header = NULL;
|
|
goto out;
|
|
}
|
|
|
|
struct ctl_table_header *register_net_sysctl(struct net *net,
|
|
const char *path, struct ctl_table *table)
|
|
{
|
|
return __register_sysctl_table(&net->sysctls, path, table);
|
|
}
|
|
EXPORT_SYMBOL_GPL(register_net_sysctl);
|
|
|
|
void unregister_net_sysctl_table(struct ctl_table_header *header)
|
|
{
|
|
unregister_sysctl_table(header);
|
|
}
|
|
EXPORT_SYMBOL_GPL(unregister_net_sysctl_table);
|