forked from mirrors/linux
14986a34e1
Pull namespace updates from Eric Biederman:
"This set of changes is a number of smaller things that have been
overlooked in other development cycles focused on more fundamental
change. The devpts changes are small things that were a distraction
until we managed to kill off DEVPTS_MULTPLE_INSTANCES. There is an
trivial regression fix to autofs for the unprivileged mount changes
that went in last cycle. A pair of ioctls has been added by Andrey
Vagin making it is possible to discover the relationships between
namespaces when referring to them through file descriptors.
The big user visible change is starting to add simple resource limits
to catch programs that misbehave. With namespaces in general and user
namespaces in particular allowing users to use more kinds of
resources, it has become important to have something to limit errant
programs. Because the purpose of these limits is to catch errant
programs the code needs to be inexpensive to use as it always on, and
the default limits need to be high enough that well behaved programs
on well behaved systems don't encounter them.
To this end, after some review I have implemented per user per user
namespace limits, and use them to limit the number of namespaces. The
limits being per user mean that one user can not exhause the limits of
another user. The limits being per user namespace allow contexts where
the limit is 0 and security conscious folks can remove from their
threat anlysis the code used to manage namespaces (as they have
historically done as it root only). At the same time the limits being
per user namespace allow other parts of the system to use namespaces.
Namespaces are increasingly being used in application sand boxing
scenarios so an all or nothing disable for the entire system for the
security conscious folks makes increasing use of these sandboxes
impossible.
There is also added a limit on the maximum number of mounts present in
a single mount namespace. It is nontrivial to guess what a reasonable
system wide limit on the number of mount structure in the kernel would
be, especially as it various based on how a system is using
containers. A limit on the number of mounts in a mount namespace
however is much easier to understand and set. In most cases in
practice only about 1000 mounts are used. Given that some autofs
scenarious have the potential to be 30,000 to 50,000 mounts I have set
the default limit for the number of mounts at 100,000 which is well
above every known set of users but low enough that the mount hash
tables don't degrade unreaonsably.
These limits are a start. I expect this estabilishes a pattern that
other limits for resources that namespaces use will follow. There has
been interest in making inotify event limits per user per user
namespace as well as interest expressed in making details about what
is going on in the kernel more visible"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (28 commits)
autofs: Fix automounts by using current_real_cred()->uid
mnt: Add a per mount namespace limit on the number of mounts
netns: move {inc,dec}_net_namespaces into #ifdef
nsfs: Simplify __ns_get_path
tools/testing: add a test to check nsfs ioctl-s
nsfs: add ioctl to get a parent namespace
nsfs: add ioctl to get an owning user namespace for ns file descriptor
kernel: add a helper to get an owning user namespace for a namespace
devpts: Change the owner of /dev/pts/ptmx to the mounter of /dev/pts
devpts: Remove sync_filesystems
devpts: Make devpts_kill_sb safe if fsi is NULL
devpts: Simplify devpts_mount by using mount_nodev
devpts: Move the creation of /dev/pts/ptmx into fill_super
devpts: Move parse_mount_options into fill_super
userns: When the per user per user namespace limit is reached return ENOSPC
userns; Document per user per user namespace limits.
mntns: Add a limit on the number of mount namespaces.
netns: Add a limit on the number of net namespaces
cgroupns: Add a limit on the number of cgroup namespaces
ipcns: Add a limit on the number of ipc namespaces
...
227 lines
6.9 KiB
C
227 lines
6.9 KiB
C
/*
|
|
* sysctl.h: General linux system control interface
|
|
*
|
|
* Begun 24 March 1995, Stephen Tweedie
|
|
*
|
|
****************************************************************
|
|
****************************************************************
|
|
**
|
|
** WARNING:
|
|
** The values in this file are exported to user space via
|
|
** the sysctl() binary interface. Do *NOT* change the
|
|
** numbering of any existing values here, and do not change
|
|
** any numbers within any one set of values. If you have to
|
|
** redefine an existing interface, use a new number for it.
|
|
** The kernel will then return -ENOTDIR to any application using
|
|
** the old binary interface.
|
|
**
|
|
****************************************************************
|
|
****************************************************************
|
|
*/
|
|
#ifndef _LINUX_SYSCTL_H
|
|
#define _LINUX_SYSCTL_H
|
|
|
|
#include <linux/list.h>
|
|
#include <linux/rcupdate.h>
|
|
#include <linux/wait.h>
|
|
#include <linux/rbtree.h>
|
|
#include <linux/uidgid.h>
|
|
#include <uapi/linux/sysctl.h>
|
|
|
|
/* For the /proc/sys support */
|
|
struct completion;
|
|
struct ctl_table;
|
|
struct nsproxy;
|
|
struct ctl_table_root;
|
|
struct ctl_table_header;
|
|
struct ctl_dir;
|
|
|
|
typedef int proc_handler (struct ctl_table *ctl, int write,
|
|
void __user *buffer, size_t *lenp, loff_t *ppos);
|
|
|
|
extern int proc_dostring(struct ctl_table *, int,
|
|
void __user *, size_t *, loff_t *);
|
|
extern int proc_dointvec(struct ctl_table *, int,
|
|
void __user *, size_t *, loff_t *);
|
|
extern int proc_douintvec(struct ctl_table *, int,
|
|
void __user *, size_t *, loff_t *);
|
|
extern int proc_dointvec_minmax(struct ctl_table *, int,
|
|
void __user *, size_t *, loff_t *);
|
|
extern int proc_dointvec_jiffies(struct ctl_table *, int,
|
|
void __user *, size_t *, loff_t *);
|
|
extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
|
|
void __user *, size_t *, loff_t *);
|
|
extern int proc_dointvec_ms_jiffies(struct ctl_table *, int,
|
|
void __user *, size_t *, loff_t *);
|
|
extern int proc_doulongvec_minmax(struct ctl_table *, int,
|
|
void __user *, size_t *, loff_t *);
|
|
extern int proc_doulongvec_ms_jiffies_minmax(struct ctl_table *table, int,
|
|
void __user *, size_t *, loff_t *);
|
|
extern int proc_do_large_bitmap(struct ctl_table *, int,
|
|
void __user *, size_t *, loff_t *);
|
|
|
|
/*
|
|
* Register a set of sysctl names by calling register_sysctl_table
|
|
* with an initialised array of struct ctl_table's. An entry with
|
|
* NULL procname terminates the table. table->de will be
|
|
* set up by the registration and need not be initialised in advance.
|
|
*
|
|
* sysctl names can be mirrored automatically under /proc/sys. The
|
|
* procname supplied controls /proc naming.
|
|
*
|
|
* The table's mode will be honoured both for sys_sysctl(2) and
|
|
* proc-fs access.
|
|
*
|
|
* Leaf nodes in the sysctl tree will be represented by a single file
|
|
* under /proc; non-leaf nodes will be represented by directories. A
|
|
* null procname disables /proc mirroring at this node.
|
|
*
|
|
* sysctl(2) can automatically manage read and write requests through
|
|
* the sysctl table. The data and maxlen fields of the ctl_table
|
|
* struct enable minimal validation of the values being written to be
|
|
* performed, and the mode field allows minimal authentication.
|
|
*
|
|
* There must be a proc_handler routine for any terminal nodes
|
|
* mirrored under /proc/sys (non-terminals are handled by a built-in
|
|
* directory handler). Several default handlers are available to
|
|
* cover common cases.
|
|
*/
|
|
|
|
/* Support for userspace poll() to watch for changes */
|
|
struct ctl_table_poll {
|
|
atomic_t event;
|
|
wait_queue_head_t wait;
|
|
};
|
|
|
|
static inline void *proc_sys_poll_event(struct ctl_table_poll *poll)
|
|
{
|
|
return (void *)(unsigned long)atomic_read(&poll->event);
|
|
}
|
|
|
|
#define __CTL_TABLE_POLL_INITIALIZER(name) { \
|
|
.event = ATOMIC_INIT(0), \
|
|
.wait = __WAIT_QUEUE_HEAD_INITIALIZER(name.wait) }
|
|
|
|
#define DEFINE_CTL_TABLE_POLL(name) \
|
|
struct ctl_table_poll name = __CTL_TABLE_POLL_INITIALIZER(name)
|
|
|
|
/* A sysctl table is an array of struct ctl_table: */
|
|
struct ctl_table
|
|
{
|
|
const char *procname; /* Text ID for /proc/sys, or zero */
|
|
void *data;
|
|
int maxlen;
|
|
umode_t mode;
|
|
struct ctl_table *child; /* Deprecated */
|
|
proc_handler *proc_handler; /* Callback for text formatting */
|
|
struct ctl_table_poll *poll;
|
|
void *extra1;
|
|
void *extra2;
|
|
};
|
|
|
|
struct ctl_node {
|
|
struct rb_node node;
|
|
struct ctl_table_header *header;
|
|
};
|
|
|
|
/* struct ctl_table_header is used to maintain dynamic lists of
|
|
struct ctl_table trees. */
|
|
struct ctl_table_header
|
|
{
|
|
union {
|
|
struct {
|
|
struct ctl_table *ctl_table;
|
|
int used;
|
|
int count;
|
|
int nreg;
|
|
};
|
|
struct rcu_head rcu;
|
|
};
|
|
struct completion *unregistering;
|
|
struct ctl_table *ctl_table_arg;
|
|
struct ctl_table_root *root;
|
|
struct ctl_table_set *set;
|
|
struct ctl_dir *parent;
|
|
struct ctl_node *node;
|
|
};
|
|
|
|
struct ctl_dir {
|
|
/* Header must be at the start of ctl_dir */
|
|
struct ctl_table_header header;
|
|
struct rb_root root;
|
|
};
|
|
|
|
struct ctl_table_set {
|
|
int (*is_seen)(struct ctl_table_set *);
|
|
struct ctl_dir dir;
|
|
};
|
|
|
|
struct ctl_table_root {
|
|
struct ctl_table_set default_set;
|
|
struct ctl_table_set *(*lookup)(struct ctl_table_root *root);
|
|
void (*set_ownership)(struct ctl_table_header *head,
|
|
struct ctl_table *table,
|
|
kuid_t *uid, kgid_t *gid);
|
|
int (*permissions)(struct ctl_table_header *head, struct ctl_table *table);
|
|
};
|
|
|
|
/* struct ctl_path describes where in the hierarchy a table is added */
|
|
struct ctl_path {
|
|
const char *procname;
|
|
};
|
|
|
|
#ifdef CONFIG_SYSCTL
|
|
|
|
void proc_sys_poll_notify(struct ctl_table_poll *poll);
|
|
|
|
extern void setup_sysctl_set(struct ctl_table_set *p,
|
|
struct ctl_table_root *root,
|
|
int (*is_seen)(struct ctl_table_set *));
|
|
extern void retire_sysctl_set(struct ctl_table_set *set);
|
|
|
|
void register_sysctl_root(struct ctl_table_root *root);
|
|
struct ctl_table_header *__register_sysctl_table(
|
|
struct ctl_table_set *set,
|
|
const char *path, struct ctl_table *table);
|
|
struct ctl_table_header *__register_sysctl_paths(
|
|
struct ctl_table_set *set,
|
|
const struct ctl_path *path, struct ctl_table *table);
|
|
struct ctl_table_header *register_sysctl(const char *path, struct ctl_table *table);
|
|
struct ctl_table_header *register_sysctl_table(struct ctl_table * table);
|
|
struct ctl_table_header *register_sysctl_paths(const struct ctl_path *path,
|
|
struct ctl_table *table);
|
|
|
|
void unregister_sysctl_table(struct ctl_table_header * table);
|
|
|
|
extern int sysctl_init(void);
|
|
|
|
extern struct ctl_table sysctl_mount_point[];
|
|
|
|
#else /* CONFIG_SYSCTL */
|
|
static inline struct ctl_table_header *register_sysctl_table(struct ctl_table * table)
|
|
{
|
|
return NULL;
|
|
}
|
|
|
|
static inline struct ctl_table_header *register_sysctl_paths(
|
|
const struct ctl_path *path, struct ctl_table *table)
|
|
{
|
|
return NULL;
|
|
}
|
|
|
|
static inline void unregister_sysctl_table(struct ctl_table_header * table)
|
|
{
|
|
}
|
|
|
|
static inline void setup_sysctl_set(struct ctl_table_set *p,
|
|
struct ctl_table_root *root,
|
|
int (*is_seen)(struct ctl_table_set *))
|
|
{
|
|
}
|
|
|
|
#endif /* CONFIG_SYSCTL */
|
|
|
|
int sysctl_max_threads(struct ctl_table *table, int write,
|
|
void __user *buffer, size_t *lenp, loff_t *ppos);
|
|
|
|
#endif /* _LINUX_SYSCTL_H */
|