lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1222860776.23573.49.camel@iris.sw.ru>
Date:	Wed, 01 Oct 2008 15:32:56 +0400
From:	"Denis V. Lunev" <den@...nvz.org>
To:	Daniel Lezcano <dlezcano@...ibm.com>
Cc:	containers@...ts.linux-foundation.org, xemul@...nvz.org,
	netdev@...r.kernel.org, benjamin.thery@...l.net,
	ebiederm@...ssion.com
Subject: Re: [PATCH net-next] [RFC] netns: enable cross-ve Unix sockets

On Wed, 2008-10-01 at 13:13 +0200, Daniel Lezcano wrote:
> Denis V. Lunev wrote:
> > This patch opens a way to connect via Unix socket from one namespace
> > to another if these sockets are opened via conventional filesystem
> > interface. Such approach allows to share important services between
> > namespaces in efficient way.
> > 
> > This breach is controlled by the means of shared filesystem, i.e. if
> > somebody really wants to isolate containers, he should start from
> > filesystem separation.
> > 
> > Signed-off-by: Denis V. Lunev <den@...nvz.org>
> > ---
> >  net/unix/af_unix.c |    3 ---
> >  1 files changed, 0 insertions(+), 3 deletions(-)
> > 
> > diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> > index 39d2173..0e1eccd 100644
> > --- a/net/unix/af_unix.c
> > +++ b/net/unix/af_unix.c
> > @@ -297,9 +297,6 @@ static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i)
> >  		    &unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {
> >  		struct dentry *dentry = unix_sk(s)->dentry;
> > 
> > -		if (!net_eq(sock_net(s), net))
> > -			continue;
> > -
> >  		if(dentry && dentry->d_inode == i)
> >  		{
> >  			sock_hold(s);
> 
> Hi Denis,
> 
> Do you have a list of the important services this isolation forbids ? (I 
> suppose there is syslog).

we have asked from our customers for a shared MySQL server

The full story is here :)
http://bugzilla.openvz.org/show_bug.cgi?id=985

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ