userns; Document per user per user namespace limits.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2016-09-22 13:52:03 -0400
committer: Eric W. Biederman <ebiederm@xmission.com> 2016-09-22 13:52:03 -0400
commit: 9c722e406a64db181f6a7b53a19a58fe61501f99 (patch)
tree: b76e85670a7081f720e726a48342ed8f7ed9ebaa
parent: 537f7ccb396804c6d0057b93ba8eb104ba44f851 (diff)
2 files changed, 67 insertions, 0 deletions
diff --git a/Documentation/sysctl/README b/Documentation/sysctl/README
index 8c3306e01d52..91f54ffa0077 100644
--- a/Documentation/sysctl/README
+++ b/Documentation/sysctl/README
@@ -69,6 +69,7 @@ proc/		<empty>
 sunrpc/         SUN Remote Procedure Call (NFS)
 vm/             memory management tuning
                buffer and cache management
+user/           Per user per user namespace limits
 These are the subdirs I have on my system. There might be more
 or other subdirs in another setup. If you see another dir, I'd
diff --git a/Documentation/sysctl/user.txt b/Documentation/sysctl/user.txt
new file mode 100644
index 000000000000..1291c498f78f
--- /dev/null
+++ b/Documentation/sysctl/user.txt
@@ -0,0 +1,66 @@
+Documentation for /proc/sys/user/*      kernel version 4.9.0
+        (c) 2016                Eric Biederman <ebiederm@xmission.com>
+==============================================================
+This file contains the documetation for the sysctl files in
+/proc/sys/user.
+The files in this directory can be used to override the default
+limits on the number of namespaces and other objects that have
+per user per user namespace limits.
+The primary purpose of these limits is to stop programs that
+malfunction and attempt to create a ridiculous number of objects,
+before the malfunction becomes a system wide problem.  It is the
+intention that the defaults of these limits are set high enough that
+no program in normal operation should run into these limits.
+The creation of per user per user namespace objects are charged to
+the user in the user namespace who created the object and
+verified to be below the per user limit in that user namespace.
+The creation of objects is also charged to all of the users
+who created user namespaces the creation of the object happens
+in (user namespaces can be nested) and verified to be below the per user
+limits in the user namespaces of those users.
+This recursive counting of created objects ensures that creating a
+user namespace does not allow a user to escape their current limits.
+Currently, these files are in /proc/sys/user:
+- max_cgroup_namespaces
+  The maximum number of cgroup namespaces that any user in the current
+  user namespace may create.
+- max_ipc_namespaces
+  The maximum number of ipc namespaces that any user in the current
+  user namespace may create.
+- max_mnt_namespaces
+  The maximum number of mount namespaces that any user in the current
+  user namespace may create.
+- max_net_namespaces
+  The maximum number of network namespaces that any user in the
+  current user namespace may create.
+- max_pid_namespaces
+  The maximum number of pid namespaces that any user in the current
+  user namespace may create.
+- max_user_namespaces
+  The maximum number of user namespaces that any user in the current
+  user namespace may create.
+- max_uts_namespaces
+  The maximum number of user namespaces that any user in the current
+  user namespace may create.
author	Eric W. Biederman <ebiederm@xmission.com>	2016-09-22 13:52:03 -0400
committer	Eric W. Biederman <ebiederm@xmission.com>	2016-09-22 13:52:03 -0400
commit	9c722e406a64db181f6a7b53a19a58fe61501f99 (patch)
tree	b76e85670a7081f720e726a48342ed8f7ed9ebaa
parent	537f7ccb396804c6d0057b93ba8eb104ba44f851 (diff)

diff --git a/Documentation/sysctl/README b/Documentation/sysctl/README index 8c3306e01d52..91f54ffa0077 100644 --- a/Documentation/sysctl/README +++ b/Documentation/sysctl/README
@@ -69,6 +69,7 @@ proc/ <empty>
69	sunrpc/ SUN Remote Procedure Call (NFS)	69	sunrpc/ SUN Remote Procedure Call (NFS)
70	vm/ memory management tuning	70	vm/ memory management tuning
71	buffer and cache management	71	buffer and cache management
		72	user/ Per user per user namespace limits
72		73
73	These are the subdirs I have on my system. There might be more	74	These are the subdirs I have on my system. There might be more
74	or other subdirs in another setup. If you see another dir, I'd	75	or other subdirs in another setup. If you see another dir, I'd


diff --git a/Documentation/sysctl/user.txt b/Documentation/sysctl/user.txt new file mode 100644 index 000000000000..1291c498f78f --- /dev/null +++ b/Documentation/sysctl/user.txt
@@ -0,0 +1,66 @@
		1	Documentation for /proc/sys/user/* kernel version 4.9.0
		2	(c) 2016 Eric Biederman <ebiederm@xmission.com>
		3
		4	==============================================================
		5
		6	This file contains the documetation for the sysctl files in
		7	/proc/sys/user.
		8
		9	The files in this directory can be used to override the default
		10	limits on the number of namespaces and other objects that have
		11	per user per user namespace limits.
		12
		13	The primary purpose of these limits is to stop programs that
		14	malfunction and attempt to create a ridiculous number of objects,
		15	before the malfunction becomes a system wide problem. It is the
		16	intention that the defaults of these limits are set high enough that
		17	no program in normal operation should run into these limits.
		18
		19	The creation of per user per user namespace objects are charged to
		20	the user in the user namespace who created the object and
		21	verified to be below the per user limit in that user namespace.
		22
		23	The creation of objects is also charged to all of the users
		24	who created user namespaces the creation of the object happens
		25	in (user namespaces can be nested) and verified to be below the per user
		26	limits in the user namespaces of those users.
		27
		28	This recursive counting of created objects ensures that creating a
		29	user namespace does not allow a user to escape their current limits.
		30
		31	Currently, these files are in /proc/sys/user:
		32
		33	- max_cgroup_namespaces
		34
		35	The maximum number of cgroup namespaces that any user in the current
		36	user namespace may create.
		37
		38	- max_ipc_namespaces
		39
		40	The maximum number of ipc namespaces that any user in the current
		41	user namespace may create.
		42
		43	- max_mnt_namespaces
		44
		45	The maximum number of mount namespaces that any user in the current
		46	user namespace may create.
		47
		48	- max_net_namespaces
		49
		50	The maximum number of network namespaces that any user in the
		51	current user namespace may create.
		52
		53	- max_pid_namespaces
		54
		55	The maximum number of pid namespaces that any user in the current
		56	user namespace may create.
		57
		58	- max_user_namespaces
		59
		60	The maximum number of user namespaces that any user in the current
		61	user namespace may create.
		62
		63	- max_uts_namespaces
		64
		65	The maximum number of user namespaces that any user in the current
		66	user namespace may create.