tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
userns; Document per user per user namespace limits.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+67
+1
Documentation/sysctl/README
+1
Documentation/sysctl/README
···
69
69
sunrpc/ SUN Remote Procedure Call (NFS)
70
70
vm/ memory management tuning
71
71
buffer and cache management
72
+
user/ Per user per user namespace limits
72
73
73
74
These are the subdirs I have on my system. There might be more
74
75
or other subdirs in another setup. If you see another dir, I'd
+66
Documentation/sysctl/user.txt
+66
Documentation/sysctl/user.txt
···
1
+
Documentation for /proc/sys/user/* kernel version 4.9.0
2
+
(c) 2016 Eric Biederman <ebiederm@xmission.com>
3
+
4
+
==============================================================
5
+
6
+
This file contains the documetation for the sysctl files in
7
+
/proc/sys/user.
8
+
9
+
The files in this directory can be used to override the default
10
+
limits on the number of namespaces and other objects that have
11
+
per user per user namespace limits.
12
+
13
+
The primary purpose of these limits is to stop programs that
14
+
malfunction and attempt to create a ridiculous number of objects,
15
+
before the malfunction becomes a system wide problem. It is the
16
+
intention that the defaults of these limits are set high enough that
17
+
no program in normal operation should run into these limits.
18
+
19
+
The creation of per user per user namespace objects are charged to
20
+
the user in the user namespace who created the object and
21
+
verified to be below the per user limit in that user namespace.
22
+
23
+
The creation of objects is also charged to all of the users
24
+
who created user namespaces the creation of the object happens
25
+
in (user namespaces can be nested) and verified to be below the per user
26
+
limits in the user namespaces of those users.
27
+
28
+
This recursive counting of created objects ensures that creating a
29
+
user namespace does not allow a user to escape their current limits.
30
+
31
+
Currently, these files are in /proc/sys/user:
32
+
33
+
- max_cgroup_namespaces
34
+
35
+
The maximum number of cgroup namespaces that any user in the current
36
+
user namespace may create.
37
+
38
+
- max_ipc_namespaces
39
+
40
+
The maximum number of ipc namespaces that any user in the current
41
+
user namespace may create.
42
+
43
+
- max_mnt_namespaces
44
+
45
+
The maximum number of mount namespaces that any user in the current
46
+
user namespace may create.
47
+
48
+
- max_net_namespaces
49
+
50
+
The maximum number of network namespaces that any user in the
51
+
current user namespace may create.
52
+
53
+
- max_pid_namespaces
54
+
55
+
The maximum number of pid namespaces that any user in the current
56
+
user namespace may create.
57
+
58
+
- max_user_namespaces
59
+
60
+
The maximum number of user namespaces that any user in the current
61
+
user namespace may create.
62
+
63
+
- max_uts_namespaces
64
+
65
+
The maximum number of user namespaces that any user in the current
66
+
user namespace may create.