| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Jan 2019 09:38:16 -0700
From: David Ahern <dsahern@...il.com>
To: Matteo Croce <mcroce@...hat.com>, netdev@...r.kernel.org
Cc: Stephen Hemminger <sthemmin@...rosoft.com>
Subject: Re: [PATCH iproute2-next] netns: add subcommand to attach an existing
network namespace
On 1/24/19 8:50 AM, Matteo Croce wrote:
> ip tracks namespaces with dummy files in /var/run/netns/, but can't see
> namespaces created with other tools.
> Creating the dummy file and bind mounting the correct procfs entry will
> make ip aware of that namespace.
> Add an ip netns subcommand to automate this task.
>
> Signed-off-by: Matteo Croce <mcroce@...hat.com>
> ---
> ip/ipnetns.c | 84 +++++++++++++++++++++++++++++++++++++++++++++
> man/man8/ip-netns.8 | 10 ++++++
> 2 files changed, 94 insertions(+)
>
> diff --git a/ip/ipnetns.c b/ip/ipnetns.c
> index 03879b49..86b1a36b 100644
> --- a/ip/ipnetns.c
> +++ b/ip/ipnetns.c
> @@ -28,6 +28,7 @@ static int usage(void)
> {
> fprintf(stderr, "Usage: ip netns list\n");
> fprintf(stderr, " ip netns add NAME\n");
> + fprintf(stderr, " ip netns attach NAME PID\n");
> fprintf(stderr, " ip netns set NAME NETNSID\n");
> fprintf(stderr, " ip [-all] netns delete [NAME]\n");
> fprintf(stderr, " ip netns identify [PID]\n");
> @@ -811,6 +812,86 @@ static int netns_monitor(int argc, char **argv)
> return 0;
> }
>
> +static int netns_attach(int argc, char **argv)
> +{
> + /* This function bind mounts an existing network namespace to a
> + * well known location in the filesystem based on the name provided.
> + * If everything succeeds, the result is the same as netns_add.
> + *
> + * The mount namespace is created so that any necessary
> + * userspace tweaks like remounting /sys, or bind mounting
> + * a new /etc/resolv.conf can be shared between users.
> + */
> + char netns_path[PATH_MAX], proc_path[PATH_MAX];
> + const char *name;
> + int fd;
> + pid_t pid;
> + int made_netns_run_dir_mount = 0;
> +
> + if (argc < 2) {
> + fprintf(stderr, "No netns name and PID specified\n");
> + return -1;
> + }
> + name = argv[0];
> +
> + if (get_s32(&pid, argv[1], 0) || !pid) {
> + fprintf(stderr, "Invalid PID: %s\n", argv[1]);
> + return -1;
> + }
> +
> + snprintf(netns_path, sizeof(netns_path), "%s/%s", NETNS_RUN_DIR, name);
> +
> + if (create_netns_dir())
> + return -1;
> +
> + /* Make it possible for network namespace mounts to propagate between
> + * mount namespaces. This makes it likely that a unmounting a network
> + * namespace file in one namespace will unmount the network namespace
> + * file in all namespaces allowing the network namespace to be freed
> + * sooner.
> + */
> + while (mount("", NETNS_RUN_DIR, "none", MS_SHARED | MS_REC, NULL)) {
> + /* Fail unless we need to make the mount point */
> + if (errno != EINVAL || made_netns_run_dir_mount) {
> + fprintf(stderr, "mount --make-shared %s failed: %s\n",
> + NETNS_RUN_DIR, strerror(errno));
> + return -1;
> + }
> +
> + /* Upgrade NETNS_RUN_DIR to a mount point */
> + if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_BIND | MS_REC, NULL)) {
> + fprintf(stderr, "mount --bind %s %s failed: %s\n",
> + NETNS_RUN_DIR, NETNS_RUN_DIR, strerror(errno));
> + return -1;
> + }
> + made_netns_run_dir_mount = 1;
> + }
> +
> + /* Create the filesystem state */
> + fd = open(netns_path, O_RDONLY|O_CREAT|O_EXCL, 0);
> + if (fd < 0) {
> + fprintf(stderr, "Cannot create namespace file \"%s\": %s\n",
> + netns_path, strerror(errno));
> + return -1;
> + }
> + close(fd);
> +
> + snprintf(proc_path, sizeof(proc_path), "/proc/%d/ns/net", pid);
> +
> + /* Bind the netns last so I can watch for it */
> + if (mount(proc_path, netns_path, "none", MS_BIND, NULL) < 0) {
> + fprintf(stderr, "Bind %s -> %s failed: %s\n",
> + proc_path, netns_path, strerror(errno));
> + goto out_delete;
> + }
> + return 0;
> +out_delete:
> + if (unlink(netns_path) < 0)
> + fprintf(stderr, "Cannot remove namespace file \"%s\": %s\n",
> + netns_path, strerror(errno));
> + return -1;
> +}
> +
Rather than duplicate netns_add, refactor it for use by both attach and add.
Powered by blists - more mailing lists