lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48E36ABF.8030908@fr.ibm.com>
Date:	Wed, 01 Oct 2008 14:19:11 +0200
From:	Daniel Lezcano <dlezcano@...ibm.com>
To:	"Denis V. Lunev" <den@...nvz.org>
CC:	netdev@...r.kernel.org, containers@...ts.linux-foundation.org,
	benjamin.thery@...l.net, ebiederm@...ssion.com, xemul@...nvz.org
Subject: Re: [PATCH net-next] [RFC] netns: enable cross-ve Unix sockets

Denis V. Lunev wrote:
> On Wed, 2008-10-01 at 13:55 +0200, Daniel Lezcano wrote:
>> Denis V. Lunev wrote:
>>> On Wed, 2008-10-01 at 13:13 +0200, Daniel Lezcano wrote:
>>>> Denis V. Lunev wrote:
>>>>> This patch opens a way to connect via Unix socket from one namespace
>>>>> to another if these sockets are opened via conventional filesystem
>>>>> interface. Such approach allows to share important services between
>>>>> namespaces in efficient way.
>>>>>
>>>>> This breach is controlled by the means of shared filesystem, i.e. if
>>>>> somebody really wants to isolate containers, he should start from
>>>>> filesystem separation.
>>>>>
>>>>> Signed-off-by: Denis V. Lunev <den@...nvz.org>
>>>>> ---
>>>>>  net/unix/af_unix.c |    3 ---
>>>>>  1 files changed, 0 insertions(+), 3 deletions(-)
>>>>>
>>>>> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
>>>>> index 39d2173..0e1eccd 100644
>>>>> --- a/net/unix/af_unix.c
>>>>> +++ b/net/unix/af_unix.c
>>>>> @@ -297,9 +297,6 @@ static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i)
>>>>>  		    &unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {
>>>>>  		struct dentry *dentry = unix_sk(s)->dentry;
>>>>>
>>>>> -		if (!net_eq(sock_net(s), net))
>>>>> -			continue;
>>>>> -
>>>>>  		if(dentry && dentry->d_inode == i)
>>>>>  		{
>>>>>  			sock_hold(s);
>>>> Hi Denis,
>>>>
>>>> Do you have a list of the important services this isolation forbids ? (I 
>>>> suppose there is syslog).
>>> we have asked from our customers for a shared MySQL server
>>>
>>> The full story is here :)
>>> http://bugzilla.openvz.org/show_bug.cgi?id=985
>> Ok, thanks.
>>
>> My question remains :)
>>
>> How do you handle migration in this case ?
> 
> There is no problem until you really have listeners from different
> namespaces on both ends. This is checked after the freeze stage and
> migration is forbidden if such a situation is detected.

So there are 2 cases:
  * full isolation : restriction on VPS
  * partial isolation : no restriction but *perhaps* problem when migrating

Looks like we need an option per namespace to reduce the isolation for 
af_unix sockets :)
  - on (default): current behaviour => full isolation
  - off : partial isolation




--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ