[PATCH 0/3]Sysctl: clean the code and prepare for secure use in containers

LKML Archive on lore.kernel.org
help / color / mirror / Atom feed

From: Pavel Emelyanov <xemul@openvz.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: [PATCH 0/3]Sysctl: clean the code and prepare for secure use in containers
Date: Wed, 27 Feb 2008 16:47:10 +0300	[thread overview]
Message-ID: <47C569DE.9060208@openvz.org> (raw)

Many (most of) sysctls do not have a per-container sense. E.g. 
kernel.print_fatal_signals, vm.panic_on_oom, net.core.netdev_budget 
and so on and so forth. Besides, tuning then from inside a container
is not even secure. On the other hand, hiding them completely from
the container's tasks sometimes causes user-space to stop working.

When developing net sysctl, the common practice was to duplicate
a table and drop the write bits in table->mode, but this approach
was not very elegant, lead to excessive memory consumption and
was not suitable in general.

Here's the alternative solution. To facilitate the per-container
sysctls ctl_table_root-s were introduced. Each root contains a 
list of ctl_table_header-s that are visible to different namespaces. 
The idea of this set is to add the permissions() callback on the 
ctl_table_root to allow ctl root limit permissions to the same 
ctl_table-s.

The main user of this functionality is the net-namespaces code, 
but later this will (should) be used by more and more namespaces,
containers and control groups.

Actually, this idea's core is in a single hunk in the third patch.
First two patches are cleanups for sysctl code, while the third
one mostly extends the arguments set of some sysctl functions.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>

next             reply	other threads:[~2008-02-27 13:47 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-27 13:47 Pavel Emelyanov [this message]
2008-02-27 13:48 ` [PATCH 1/3] Sysctl: merge equal proc_sys_read and proc_sys_write Pavel Emelyanov
2008-02-27 13:51 ` [PATCH 2/3] Sysctl: clean from unneeded extern and forward declarations Pavel Emelyanov
2008-02-27 13:54 ` [PATCH 3/3] Sysctl: add the ->permissions callback on the ctl_table_root Pavel Emelyanov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47C569DE.9060208@openvz.org \
    --to=xemul@openvz.org \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --subject='Re: [PATCH 0/3]Sysctl: clean the code and prepare for secure use in containers' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).