This patchset addresses two use cases:
- Implement a sane upper bound on the number of namespaces.
- Provide a way for sandboxes to limit the attack surface from
The maximum sane case I can imagine is if every process is a fat
process, so I set the maximum number of namespaces to the maximum
number of threads.
I make these limits recursive and per user namespace so that a
usernamespace root can reduce the limits further. If a user namespace
root raises the limit the limit in the parent namespace will be honored.
I have cut this implementation to the bare minimum needed to achieve
Does anyone know if there is a proper error code to return for resource
limit exceeded? I am currently using -EUSERS or -ENFILE but both of
those feel a little wrong.