| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Jun 2007 10:11:51 -0500 From: "Serge E. Hallyn" <serue@...ibm.com> To: David Miller <davem@...emloft.net> Cc: ebiederm@...ssion.com, jeff@...zik.org, yoshfuji@...ux-ipv6.org, netdev@...r.kernel.org, hadi@...erus.ca, containers@...ts.osdl.org, greearb@...delatech.com, shemminger@...ux-foundation.org, kaber@...sh.net Subject: Re: [RFD] L2 Network namespace infrastructure Quoting David Miller (davem@...emloft.net): > From: ebiederm@...ssion.com (Eric W. Biederman) > Date: Sat, 23 Jun 2007 11:19:34 -0600 > > > Further and fundamentally all a global achieves is removing the need > > for the noise patches where you pass the pointer into the various > > functions. For long term maintenance it doesn't help anything. > > I don't accept that we have to add another function argument > to a bunch of core routines just to support this crap, > especially since you give no way to turn it off and get > that function argument slot back. > > To be honest I think this form of virtualization is a complete > waste of time, even the openvz approach. > > We're protecting the kernel from itself, and that's an endless > uphill battle that you will never win. Let's do this kind of Hi David, just to be clear this isn't so much about security. Security can be provided using selinux, just as with the userid namespace. But like with the userid namespace, this provides usability for the virtual servers, plus some support for restarting checkpointed applications. That doesn't attempt to justify the extra argument - if you don't like it, you don't like it :) Just wanted to clarify. thanks, -serge > stuff properly with a real minimal hypervisor, hopefully with > appropriate hardware level support and good virtualized device > interfaces, instead of this namespace stuff. > > At least the hypervisor approach you have some chance to fully > harden in some verifyable and truly protected way, with > namespaces it's just a pipe dream and everyone who works on > these namespace approaches knows that very well. > > The only positive thing that came out of this work is the > great auditing that the openvz folks have done and the bugs > they have found, but it basically ends right there. > _______________________________________________ > Containers mailing list > Containers@...ts.linux-foundation.org > https://lists.linux-foundation.org/mailman/listinfo/containers - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists