From e11f0ae388f227d7ad03953e19034dec55286650 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Fri, 25 Jan 2013 16:48:31 -0800 Subject: userns: Recommend use of memory control groups. In the help text describing user namespaces recommend use of memory control groups. In many cases memory control groups are the only mechanism there is to limit how much memory a user who can create user namespaces can use. Acked-by: Serge Hallyn Signed-off-by: Eric W. Biederman --- init/Kconfig | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index 7d30240e5bfe..c8c58bddfed3 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1035,6 +1035,13 @@ config USER_NS help This allows containers, i.e. vservers, to use user namespaces to provide different user info for different servers. + + When user namespaces are enabled in the kernel it is + recommended that the MEMCG and MEMCG_KMEM options also be + enabled and that user-space use the memory control groups to + limit the amount of memory a memory unprivileged users can + use. + If unsure, say N. config PID_NS -- cgit v1.2.3 From d5ea055f1cc0ff6d4170c7f60f3cb5eb09d927bc Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Thu, 31 Jan 2013 04:07:20 -0800 Subject: ceph: Enable building when user namespaces are enabled. Now that conversions happen from kuids and kgids when generating ceph messages and conversion happen to kuids and kgids after receiving celph messages, and all intermediate data structures store uids and gids as type kuid_t and kgid_t it is safe to enable ceph with user namespace support enabled. Cc: Sage Weil Signed-off-by: "Eric W. Biederman" --- init/Kconfig | 1 - 1 file changed, 1 deletion(-) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index c8c58bddfed3..7170d549159a 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1076,7 +1076,6 @@ config UIDGID_CONVERTED # Filesystems depends on 9P_FS = n depends on AFS_FS = n - depends on CEPH_FS = n depends on CIFS = n depends on CODA_FS = n depends on GFS2_FS = n -- cgit v1.2.3 From 4fa814be258169caef51e320b8b06cb3b139d4a0 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Wed, 30 Jan 2013 12:11:45 -0800 Subject: 9p: Allow building 9p with user namespaces enabled. Now that the uid_t -> kuid_t, gid_t -> kgid_t conversion has been completed in 9p allow 9p to be built when user namespaces are enabled. Cc: Eric Van Hensbergen Cc: Ron Minnich Cc: Latchesar Ionkov Signed-off-by: "Eric W. Biederman" --- init/Kconfig | 4 ---- 1 file changed, 4 deletions(-) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index 7170d549159a..394d24f99efe 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1070,11 +1070,7 @@ config UIDGID_CONVERTED bool default y - # Networking - depends on NET_9P = n - # Filesystems - depends on 9P_FS = n depends on AFS_FS = n depends on CIFS = n depends on CODA_FS = n -- cgit v1.2.3 From a0a5386ac6400493cc2eb8b58583e56af0708730 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Tue, 7 Feb 2012 16:20:48 -0800 Subject: afs: Support interacting with multiple user namespaces Modify struct afs_file_status to store owner as a kuid_t and group as a kgid_t. In xdr_decode_AFSFetchStatus as owner is now a kuid_t and group is now a kgid_t don't use the EXTRACT macro. Instead perform the work of the extract macro explicitly. Read the value with ntohl and convert it to the appropriate type with make_kuid or make_kgid. Test if the value is different from what is stored in status and update changed. Update the value in status. In xdr_encode_AFS_StoreStatus call from_kuid or from_kgid as we are computing the on the wire encoding. Initialize uids with GLOBAL_ROOT_UID instead of 0. Initialize gids with GLOBAL_ROOT_GID instead of 0. Cc: David Howells Acked-by: Serge Hallyn Signed-off-by: Eric W. Biederman --- init/Kconfig | 1 - 1 file changed, 1 deletion(-) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index 394d24f99efe..4570b02abcc5 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1071,7 +1071,6 @@ config UIDGID_CONVERTED default y # Filesystems - depends on AFS_FS = n depends on CIFS = n depends on CODA_FS = n depends on GFS2_FS = n -- cgit v1.2.3 From 515ee7bd9758208dea081dbc933400d6be81028a Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Wed, 30 Jan 2013 19:43:05 -0800 Subject: coda: Allow coda to be built when user namespace support is enabled Now that the coda kernel to userspace has been modified to convert between kuids and kgids and uids and gids, and all internal coda structures have be modified to store uids and gids as kuids and kgids it is safe to allow code to be built with user namespace support enabled. Cc: Jan Harkes Signed-off-by: "Eric W. Biederman" --- init/Kconfig | 1 - 1 file changed, 1 deletion(-) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index 4570b02abcc5..f516d52f93c8 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1072,7 +1072,6 @@ config UIDGID_CONVERTED # Filesystems depends on CIFS = n - depends on CODA_FS = n depends on GFS2_FS = n depends on NCP_FS = n depends on NFSD = n -- cgit v1.2.3 From ecb528e3ea208750693731538411f86f78a4d965 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Thu, 31 Jan 2013 17:36:56 -0800 Subject: ocfs2: Enable building with user namespaces enabled Now that ocfs2 has been converted to store uids and gids in kuid_t and kgid_t and all of the conversions have been added to the appropriate places it is safe to allow building and using ocfs2 with user namespace support enabled. Cc: Mark Fasheh Cc: Joel Becker Signed-off-by: "Eric W. Biederman" --- init/Kconfig | 1 - 1 file changed, 1 deletion(-) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index f516d52f93c8..9cb63c94cab8 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1076,7 +1076,6 @@ config UIDGID_CONVERTED depends on NCP_FS = n depends on NFSD = n depends on NFS_FS = n - depends on OCFS2_FS = n depends on XFS_FS = n config UIDGID_STRICT_TYPE_CHECKS -- cgit v1.2.3 From 0f07bd3753e25c80fe24428273c791f350b3a1eb Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Thu, 31 Jan 2013 22:17:00 -0800 Subject: gfs2: Enable building with user namespaces enabled Now that all of the necessary work has been done to push kuids and kgids throughout gfs2 and to convert between kuids and kgids when reading and writing the on disk structures it is safe to enable gfs2 when multiple user namespaces are enabled. Cc: Steven Whitehouse Signed-off-by: "Eric W. Biederman" --- init/Kconfig | 1 - 1 file changed, 1 deletion(-) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index 9cb63c94cab8..591fc75710b3 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1072,7 +1072,6 @@ config UIDGID_CONVERTED # Filesystems depends on CIFS = n - depends on GFS2_FS = n depends on NCP_FS = n depends on NFSD = n depends on NFS_FS = n -- cgit v1.2.3 From 1ac7fd8190b79c822631ed537186fb8b2d9e9b74 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Tue, 7 Feb 2012 16:28:28 -0800 Subject: ncpfs: Support interacting with multiple user namespaces ncpfs does not natively support uids and gids so this conversion was simply a matter of updating the the type of the mounteduid, the uid and the gid on the superblock. Fixing the ioctls that read them, updating the mount option parser and the mount option printer. Cc: Petr Vandrovec Acked-by: Serge Hallyn Signed-off-by: Eric W. Biederman --- init/Kconfig | 1 - 1 file changed, 1 deletion(-) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index 591fc75710b3..b526f4c35b95 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1072,7 +1072,6 @@ config UIDGID_CONVERTED # Filesystems depends on CIFS = n - depends on NCP_FS = n depends on NFSD = n depends on NFS_FS = n depends on XFS_FS = n -- cgit v1.2.3 From 4277bbf750d95a4c86925fa8f8956568b4912d43 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Sat, 2 Feb 2013 06:59:11 -0800 Subject: nfs: Enable building with user namespaces enabled. Now that the kuids and kgids conversion have propogated through net/sunrpc/ and the fs/nfs/ it is safe to enable building nfs when user namespaces are enabled. Cc: "J. Bruce Fields" Cc: Trond Myklebust Signed-off-by: "Eric W. Biederman" --- init/Kconfig | 1 - 1 file changed, 1 deletion(-) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index b526f4c35b95..d7b926abe91f 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1073,7 +1073,6 @@ config UIDGID_CONVERTED # Filesystems depends on CIFS = n depends on NFSD = n - depends on NFS_FS = n depends on XFS_FS = n config UIDGID_STRICT_TYPE_CHECKS -- cgit v1.2.3 From c9617a44b39d75b2098283d56355d02d4d5bee8b Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Sat, 2 Feb 2013 07:00:40 -0800 Subject: nfsd: Enable building with user namespaces enabled. Now that the kuids and kgids conversion have propogated through net/sunrpc/ and the fs/nfsd/ it is safe to enable building nfsd when user namespaces are enabled. Cc: "J. Bruce Fields" Cc: Trond Myklebust Signed-off-by: "Eric W. Biederman" --- init/Kconfig | 1 - 1 file changed, 1 deletion(-) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index d7b926abe91f..69c5ccce55e7 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1072,7 +1072,6 @@ config UIDGID_CONVERTED # Filesystems depends on CIFS = n - depends on NFSD = n depends on XFS_FS = n config UIDGID_STRICT_TYPE_CHECKS -- cgit v1.2.3 From 139321c65c0584cd65c4c87a5eb3fdb4fdbd0e19 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Wed, 6 Feb 2013 02:31:39 -0800 Subject: cifs: Enable building with user namespaces enabled. Cc: Steve French Signed-off-by: "Eric W. Biederman" --- init/Kconfig | 1 - 1 file changed, 1 deletion(-) (limited to 'init') diff --git a/init/Kconfig b/init/Kconfig index 69c5ccce55e7..b2de5edee0ce 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1071,7 +1071,6 @@ config UIDGID_CONVERTED default y # Filesystems - depends on CIFS = n depends on XFS_FS = n config UIDGID_STRICT_TYPE_CHECKS -- cgit v1.2.3