Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.9 2016-08-31T12:28:35Z 2016-08-31T12:28:35Z Eric W. Biederman ebiederm@xmission.com 2016-08-08T19:37:37Z urn:sha1:537f7ccb396804c6d0057b93ba8eb104ba44f851 v2: Fixed the very obvious lack of setting ucounts on struct mnt_ns reported by Andrei Vagin, and the kbuild test report. Reported-by: Andrei Vagin <avagin@openvz.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2016-08-08T19:42:04Z Eric W. Biederman ebiederm@xmission.com 2016-08-08T19:33:23Z urn:sha1:703286608a220d53584cca5986aad5305eec75ed Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2016-08-08T19:42:03Z Eric W. Biederman ebiederm@xmission.com 2016-08-08T19:25:30Z urn:sha1:d08311dd6fd8444e39710dd2fb97562895aed8fa Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2016-08-08T19:42:03Z Eric W. Biederman ebiederm@xmission.com 2016-08-08T19:20:23Z urn:sha1:aba356616386e6e573a34c6d64ed12443686e5c8 Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2016-08-08T19:42:02Z Eric W. Biederman ebiederm@xmission.com 2016-08-08T19:11:25Z urn:sha1:f7af3d1c03136275b876f58644599b120cf4ffdd Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2016-08-08T19:42:01Z Eric W. Biederman ebiederm@xmission.com 2016-08-08T19:08:36Z urn:sha1:f333c700c6100b53050980986be922bb21466e29 Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2016-08-08T19:41:52Z Eric W. Biederman ebiederm@xmission.com 2016-08-08T19:41:52Z urn:sha1:25f9c0817c535a728c1088542230fa327c577c9e The same kind of recursive sane default limit and policy countrol that has been implemented for the user namespace is desirable for the other namespaces, so generalize the user namespace refernce count into a ucount. Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2016-08-08T19:40:30Z Eric W. Biederman ebiederm@xmission.com 2016-08-08T18:54:50Z urn:sha1:f6b2db1a3e8d141dd144df58900fb0444d5d7c53 Add a structure that is per user and per user ns and use it to hold the count of user namespaces. This makes prevents one user from creating denying service to another user by creating the maximum number of user namespaces. Rename the sysctl export of the maximum count from /proc/sys/userns/max_user_namespaces to /proc/sys/user/max_user_namespaces to reflect that the count is now per user. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2016-08-08T18:41:24Z Eric W. Biederman ebiederm@xmission.com 2016-08-08T18:41:24Z urn:sha1:b376c3e1b6770ddcb4f0782be16358095fcea0b6 Export the export the maximum number of user namespaces as /proc/sys/userns/max_user_namespaces. Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2016-08-08T18:18:58Z Eric W. Biederman ebiederm@xmission.com 2016-07-30T18:58:49Z urn:sha1:dbec28460a89aa7c02c3301e9e108d98272549d2 Limit per userns sysctls to only be opened for write by a holder of CAP_SYS_RESOURCE. Add all of the necessary boilerplate for having per user namespace sysctls. Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>