lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 30 May 2017 17:41:26 -0600
From:   David Ahern <dsahern@...il.com>
To:     Harald Welte <laforge@...monks.org>, netdev@...r.kernel.org
Subject: Re: loosing netdevices with namespaces and unshare?

On 5/30/17 4:07 PM, Harald Welte wrote:
> In case you're wondering what I'm actually trying to achieve: Find
> an easy way to run a single program in an isolated namespace that only
> has one physical (usb) ethernet device.  I would like to execute that
> program as unprivileged user but still be able to bind to privileged
> ports.  And I want to do this using simple command-line tools without
> all the bloat and overhead of "container" solutions that have 99% of
> features I don't need.  But let that not distract you, I think the
> mysteriously disappearing netdevices are a more general and important
> issue.

An alternative approach is to create a bridge and add the usb ethernet
device to it. As you want to launch a program, create a veth pair. Put
one end into the bridge, and the other end into the new network namespace.

All of this can be scripted quite easily with 'ip' - including
configuring the veth device pushed into the namespace and running the
command. Use unshare for the other namespaces.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ