Eric W. Biederman | 9c722e4 | 2016-09-22 12:52:03 -0500 | [diff] [blame] | 1 | Documentation for /proc/sys/user/* kernel version 4.9.0 |
| 2 | (c) 2016 Eric Biederman <ebiederm@xmission.com> |
| 3 | |
| 4 | ============================================================== |
| 5 | |
Kangmin Park | 60c3e02 | 2018-02-06 15:42:44 -0800 | [diff] [blame] | 6 | This file contains the documentation for the sysctl files in |
Eric W. Biederman | 9c722e4 | 2016-09-22 12:52:03 -0500 | [diff] [blame] | 7 | /proc/sys/user. |
| 8 | |
| 9 | The files in this directory can be used to override the default |
| 10 | limits on the number of namespaces and other objects that have |
| 11 | per user per user namespace limits. |
| 12 | |
| 13 | The primary purpose of these limits is to stop programs that |
| 14 | malfunction and attempt to create a ridiculous number of objects, |
| 15 | before the malfunction becomes a system wide problem. It is the |
| 16 | intention that the defaults of these limits are set high enough that |
| 17 | no program in normal operation should run into these limits. |
| 18 | |
| 19 | The creation of per user per user namespace objects are charged to |
| 20 | the user in the user namespace who created the object and |
| 21 | verified to be below the per user limit in that user namespace. |
| 22 | |
| 23 | The creation of objects is also charged to all of the users |
| 24 | who created user namespaces the creation of the object happens |
| 25 | in (user namespaces can be nested) and verified to be below the per user |
| 26 | limits in the user namespaces of those users. |
| 27 | |
| 28 | This recursive counting of created objects ensures that creating a |
| 29 | user namespace does not allow a user to escape their current limits. |
| 30 | |
| 31 | Currently, these files are in /proc/sys/user: |
| 32 | |
| 33 | - max_cgroup_namespaces |
| 34 | |
| 35 | The maximum number of cgroup namespaces that any user in the current |
| 36 | user namespace may create. |
| 37 | |
| 38 | - max_ipc_namespaces |
| 39 | |
| 40 | The maximum number of ipc namespaces that any user in the current |
| 41 | user namespace may create. |
| 42 | |
| 43 | - max_mnt_namespaces |
| 44 | |
| 45 | The maximum number of mount namespaces that any user in the current |
| 46 | user namespace may create. |
| 47 | |
| 48 | - max_net_namespaces |
| 49 | |
| 50 | The maximum number of network namespaces that any user in the |
| 51 | current user namespace may create. |
| 52 | |
| 53 | - max_pid_namespaces |
| 54 | |
| 55 | The maximum number of pid namespaces that any user in the current |
| 56 | user namespace may create. |
| 57 | |
| 58 | - max_user_namespaces |
| 59 | |
| 60 | The maximum number of user namespaces that any user in the current |
| 61 | user namespace may create. |
| 62 | |
| 63 | - max_uts_namespaces |
| 64 | |
| 65 | The maximum number of user namespaces that any user in the current |
| 66 | user namespace may create. |