| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Jan 2017 09:43:54 -0500
From: Tejun Heo <tj@...nel.org>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Andy Lutomirski <luto@...capital.net>,
Alexei Starovoitov <alexei.starovoitov@...il.com>,
David Ahern <dsa@...ulusnetworks.com>,
Andy Lutomirski <luto@...nel.org>,
Network Development <netdev@...r.kernel.org>,
"David S. Miller" <davem@...emloft.net>,
Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>
Subject: Re: [PATCH v2] bpf: Restrict cgroup bpf hooks to the init netns
Hello, Eric.
On Thu, Jan 26, 2017 at 01:45:07PM +1300, Eric W. Biederman wrote:
> > Eric, does this sound okay to you? You're the authority on exposing
> > things like namespace ids to users.
>
> *Boggle* Things that run across all network namespaces break any kind
> of sense I have about thinking about them.
>
> Running across more than one network namespace by default seems very
> broken to me.
Can you explain why that is? Other namespaces don't behave this way.
For example, a PID namespace doesn't hide the processes at the system
level. It just gives additional nested names to the namespaced
processes and having objects visible at the system level is very
useful for monitoring and management. Are there inherent reasons why
network namespace should be very different from other namespaces in
this regard?
Thanks.
--
tejun
Powered by blists - more mailing lists