Re: [PATCH/RFC] user_ns: fix missing limiting of user_ns counts

2012-12-30 Thread Vasily Kulikov
On Fri, Dec 28, 2012 at 20:05 -0800, Eric W. Biederman wrote: > > A related issue which is NOT FIXED HERE is limits for all resources > > available for containerized pseudo roots. E.g. I succeeded creating > > thousands of veth network devices without problems by a non-root user, > > there seems n

Re: [PATCH/RFC] user_ns: fix missing limiting of user_ns counts

2012-12-28 Thread Vasily Kulikov
On Fri, Dec 28, 2012 at 20:05 -0800, Eric W. Biederman wrote: > Vasily Kulikov writes: > > > Currently there is completely no limiting in number of user namespaces > > created by unprivileged users. One can freely create thousands of > > user_ns'es and exhaust kernel memory without even bumping

Re: [PATCH/RFC] user_ns: fix missing limiting of user_ns counts

2012-12-28 Thread Al Viro
On Fri, Dec 28, 2012 at 08:05:32PM -0800, Eric W. Biederman wrote: > Yes. Gcc can't turn a tail call into a jump in even the most basic > cases apparently. What. The. Fuck? You have introduced unlimited recursion on kernel stack. OK, it's unpleasant, but it can happen to anybody. But then y

Re: [PATCH/RFC] user_ns: fix missing limiting of user_ns counts

2012-12-28 Thread Eric W. Biederman
Vasily Kulikov writes: > Currently there is completely no limiting in number of user namespaces > created by unprivileged users. One can freely create thousands of > user_ns'es and exhaust kernel memory without even bumping in > RLIMIT_NPROC or similar. First for a proper sense of scale it will

Re: [PATCH/RFC] user_ns: fix missing limiting of user_ns counts

2012-12-28 Thread Al Viro
On Fri, Dec 28, 2012 at 11:04:35PM +0400, Vasily Kulikov wrote: > > I'm sorry, but this is not a solution. Kernel is not x86-only; there are > > architectures with far bigger minimal stack frame size. E.g. on sparc64 > > every fucking stack frame is at least 176 bytes. So your 100 calls deep >

Re: [PATCH/RFC] user_ns: fix missing limiting of user_ns counts

2012-12-28 Thread Vasily Kulikov
On Fri, Dec 28, 2012 at 18:43 +, Al Viro wrote: > On Fri, Dec 28, 2012 at 09:56:27PM +0400, Vasily Kulikov wrote: > > The included patch is a basic fix for both or them. Both values are > > hardcoded here to 100 max depth and 1000 max in total. I'm not sure how > > better to make them configu

Re: [PATCH/RFC] user_ns: fix missing limiting of user_ns counts

2012-12-28 Thread Al Viro
On Fri, Dec 28, 2012 at 09:56:27PM +0400, Vasily Kulikov wrote: > The included patch is a basic fix for both or them. Both values are > hardcoded here to 100 max depth and 1000 max in total. I'm not sure how > better to make them configurable. Looks like it needs some sysctl value > like kernel.

[PATCH/RFC] user_ns: fix missing limiting of user_ns counts

2012-12-28 Thread Vasily Kulikov
Currently there is completely no limiting in number of user namespaces created by unprivileged users. One can freely create thousands of user_ns'es and exhaust kernel memory without even bumping in RLIMIT_NPROC or similar. Even more -- it allows user to overflow kernel stack theoretically allowin