mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
c0fe189b59
Fix the document title and reword the phrasing to active voice. Signed-off-by: Joel Savitz <jsavitz@redhat.com> Message-ID: <20250421161723.1138903-1-jsavitz@redhat.com> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
18 lines
875 B
ReStructuredText
18 lines
875 B
ReStructuredText
====================================
|
|
User namespaces and resource control
|
|
====================================
|
|
|
|
The kernel contains many kinds of objects that either don't have
|
|
individual limits or that have limits which are ineffective when
|
|
a set of processes is allowed to switch their UID. On a system
|
|
where the admins don't trust their users or their users' programs,
|
|
user namespaces expose the system to potential misuse of resources.
|
|
|
|
In order to mitigate this, we recommend that admins enable memory
|
|
control groups on any system that enables user namespaces.
|
|
Furthermore, we recommend that admins configure the memory control
|
|
groups to limit the maximum memory usable by any untrusted user.
|
|
|
|
Memory control groups can be configured by installing the libcgroup
|
|
package present on most distros editing /etc/cgrules.conf,
|
|
/etc/cgconfig.conf and setting up libpam-cgroup.
|