summaryrefslogtreecommitdiff
path: root/Documentation/admin-guide/namespaces/resource-control.rst
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/admin-guide/namespaces/resource-control.rst')
-rw-r--r--Documentation/admin-guide/namespaces/resource-control.rst18
1 files changed, 18 insertions, 0 deletions
diff --git a/Documentation/admin-guide/namespaces/resource-control.rst b/Documentation/admin-guide/namespaces/resource-control.rst
new file mode 100644
index 000000000000..553a44803231
--- /dev/null
+++ b/Documentation/admin-guide/namespaces/resource-control.rst
@@ -0,0 +1,18 @@
+====================================
+User namespaces and resource control
+====================================
+
+The kernel contains many kinds of objects that either don't have
+individual limits or that have limits which are ineffective when
+a set of processes is allowed to switch their UID. On a system
+where the admins don't trust their users or their users' programs,
+user namespaces expose the system to potential misuse of resources.
+
+In order to mitigate this, we recommend that admins enable memory
+control groups on any system that enables user namespaces.
+Furthermore, we recommend that admins configure the memory control
+groups to limit the maximum memory usable by any untrusted user.
+
+Memory control groups can be configured by installing the libcgroup
+package present on most distros editing /etc/cgrules.conf,
+/etc/cgconfig.conf and setting up libpam-cgroup.
generated by cgit (git 2.34.1) at 2025-12-26 08:51:51 +0000