diff options
Diffstat (limited to 'Documentation/namespaces')
| -rw-r--r-- | Documentation/namespaces/compatibility-list.txt | 39 | ||||
| -rw-r--r-- | Documentation/namespaces/resource-control.txt | 14 |
2 files changed, 0 insertions, 53 deletions
diff --git a/Documentation/namespaces/compatibility-list.txt b/Documentation/namespaces/compatibility-list.txt deleted file mode 100644 index defc5589bfcd..000000000000 --- a/Documentation/namespaces/compatibility-list.txt +++ /dev/null @@ -1,39 +0,0 @@ - Namespaces compatibility list - -This document contains the information about the problems user -may have when creating tasks living in different namespaces. - -Here's the summary. This matrix shows the known problems, that -occur when tasks share some namespace (the columns) while living -in different other namespaces (the rows): - - UTS IPC VFS PID User Net -UTS X -IPC X 1 -VFS X -PID 1 1 X -User 2 2 X -Net X - -1. Both the IPC and the PID namespaces provide IDs to address - object inside the kernel. E.g. semaphore with IPCID or - process group with pid. - - In both cases, tasks shouldn't try exposing this ID to some - other task living in a different namespace via a shared filesystem - or IPC shmem/message. The fact is that this ID is only valid - within the namespace it was obtained in and may refer to some - other object in another namespace. - -2. Intentionally, two equal user IDs in different user namespaces - should not be equal from the VFS point of view. In other - words, user 10 in one user namespace shouldn't have the same - access permissions to files, belonging to user 10 in another - namespace. - - The same is true for the IPC namespaces being shared - two users - from different user namespaces should not access the same IPC objects - even having equal UIDs. - - But currently this is not so. - diff --git a/Documentation/namespaces/resource-control.txt b/Documentation/namespaces/resource-control.txt deleted file mode 100644 index abc13c394738..000000000000 --- a/Documentation/namespaces/resource-control.txt +++ /dev/null @@ -1,14 +0,0 @@ -There are a lot of kinds of objects in the kernel that don't have -individual limits or that have limits that are ineffective when a set -of processes is allowed to switch user ids. With user namespaces -enabled in a kernel for people who don't trust their users or their -users programs to play nice this problems becomes more acute. - -Therefore it is recommended that memory control groups be enabled in -kernels that enable user namespaces, and it is further recommended -that userspace configure memory control groups to limit how much -memory user's they don't trust to play nice can use. - -Memory control groups can be configured by installing the libcgroup -package present on most distros editing /etc/cgrules.conf, -/etc/cgconfig.conf and setting up libpam-cgroup. |