| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <48E3800F.1020806@fr.ibm.com> Date: Wed, 01 Oct 2008 15:50:07 +0200 From: Daniel Lezcano <dlezcano@...ibm.com> To: Cedric Le Goater <clg@...ibm.com> CC: Pavel Emelyanov <xemul@...nvz.org>, Denis Lunev <den@...nvz.org>, netdev@...r.kernel.org, containers@...ts.linux-foundation.org, ebiederm@...ssion.com, benjamin.thery@...l.net Subject: Re: [PATCH net-next] [RFC] netns: enable cross-ve Unix sockets Cedric Le Goater wrote: > Pavel Emelyanov wrote: >> Daniel Lezcano wrote: >>> Pavel Emelyanov wrote: >>>>> So there are 2 cases: >>>>> * full isolation : restriction on VPS >>>>> * partial isolation : no restriction but *perhaps* problem when migrating >>>>> >>>>> Looks like we need an option per namespace to reduce the isolation for >>>>> af_unix sockets :) >>>>> - on (default): current behaviour => full isolation >>>>> - off : partial isolation >>>> You mean some sysctl, that enables/disables this check in unix_find_socket_byinode? >>> Yes. >> OK. Den, please, do :) > > hmm, would that allow sibling namespaces to connect to each other ? If so, > I'm not in favor of such a solution. > > I understand the need. we had a similar issue with the command line tool > pgsl. Could we work something out with the capabilities ? or make an > exception if your ->nsproxy->net_ns == init_net ? Why capabilities is better than a simple sysctl ? Making an exception for init_net will break the nested containers no ? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists