lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 5 Jul 2020 22:31:25 +0000
From:   Matt Bennett <Matt.Bennett@...iedtelesis.co.nz>
To:     "ebiederm@...ssion.com" <ebiederm@...ssion.com>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "zbr@...emap.net" <zbr@...emap.net>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "containers@...ts.linux-foundation.org" 
        <containers@...ts.linux-foundation.org>
Subject: Re: [PATCH 0/5] RFC: connector: Add network namespace awareness

On Thu, 2020-07-02 at 13:59 -0500, Eric W. Biederman wrote:
> Matt Bennett <matt.bennett@...iedtelesis.co.nz> writes:
> 
> > Previously the connector functionality could only be used by processes running in the
> > default network namespace. This meant that any process that uses the connector functionality
> > could not operate correctly when run inside a container. This is a draft patch series that
> > attempts to now allow this functionality outside of the default network namespace.
> > 
> > I see this has been discussed previously [1], but am not sure how my changes relate to all
> > of the topics discussed there and/or if there are any unintended side
> > effects from my draft
> 
> In a quick skim this patchset does not look like it approaches a correct
> conversion to having code that works in multiple namespaces.
> 
> I will take the changes to proc_id_connector for example.
> You report the values in the callers current namespaces.
> 
> Which means an unprivileged user can create a user namespace and get
> connector to report whichever ids they want to users in another
> namespace.  AKA lie.
> 
> So this appears to make connector completely unreliable.
> 
> Eric
> 

Hi Eric,

Thank you for taking the time to review. I wrote these patches in an attempt to show that I was willing to do the work myself rather than simply
asking for someone else to do it for me. The changes worked for my use cases when I tested them, but I expected that some of the changes would be
incorrect and that I would need some guidance. I can spend some time to really dig in and fully understand the changes I am trying to make (I have
limited kernel development experience) but based on the rest of the discussion threads it seems that there is likely no appetite to ever support
namespaces with the connector.

Best regards,
Matt

Powered by blists - more mailing lists