| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1384216612.2758.30.camel@dilip-laptop> Date: Mon, 11 Nov 2013 19:36:52 -0500 From: Dilip Daya <dilip.daya@...com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Chris J Arges <chris.j.arges@...onical.com>, Brian Haley <brian.haley@...com>, shemminger@...l.org, "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: iproute2: potential upgrade regression with 58a3e827 Hi Eric, On Mon, 2013-11-11 at 14:40 -0800, Eric W. Biederman wrote: > Dilip Daya <dilip.daya@...com> writes: > > > Hi Chris, > > > > On Mon, 2013-11-11 at 15:26 -0600, Chris J Arges wrote: > > > >> Good suggestion, > >> So I'll use a more simple example now: > >> > >> 1) > >> ip netns add first > >> ip netns exec first bash > >> > >> 2) > >> ip netns add second > >> ip netns exec second bash > >> > >> 3) > >> ip netns exec first bash > >> > >> If we do not upgrade the package, after we execute (2) we have: > >> # ls -l /var/run/netns > >> total 0 > >> -r-------- 1 root root 0 Nov 11 20:38 first > >> -r-------- 1 root root 0 Nov 11 20:38 second > >> > >> If we upgrade after (1), then run (2) we have: > >> # ls -l /var/run/netns > >> total 0 > >> ---------- 1 root root 0 Nov 11 20:56 first > >> -r-------- 1 root root 0 Nov 11 20:57 second > >> > >> So looks like netns add is doing something different from 58a3e827 and on. > > I will just add that it is worth looking at /proc/mounts as well. > > Although I have to admit that the difference in permissions is odd. => kernel v3.2.51 with iproute2-ss130903 Terminal #1--Add first netns # ip netns add first Terminal #1: # tree --inodes /var/run/netns ; echo "=====" ; ls -li /var/run/netns ; echo "====="; cat /proc/self/mounts | grep first ; echo "=====" ; cat /proc/self/mountinfo | grep -e first /var/run/netns └── [ 5204] first 0 directories, 1 file ===== total 0 5204 -r-------- 1 root root 0 Nov 11 17:17 first ===== none /var/run/netns/first proc rw,nosuid,nodev,noexec,relatime 0 0 ===== 23 22 0:3 /1935/ns/net /var/run/netns/first rw,nosuid,nodev,noexec,relatime shared:2 - proc none rw Terminal #1: # ip netns exec first /bin/bash Terminal #1: # tree --inodes /var/run/netns ; echo "=====" ; ls -li /var/run/netns ; echo "====="; cat /proc/self/mounts | grep first ; echo "=====" ; cat /proc/self/mountinfo | grep -e first /var/run/netns └── [ 5204] first 0 directories, 1 file ===== total 0 5204 -r-------- 1 root root 0 Nov 11 17:17 first ===== none /var/run/netns/first proc rw,nosuid,nodev,noexec,relatime 0 0 first /sys sysfs rw,relatime 0 0 ===== 33 32 0:3 /1935/ns/net /var/run/netns/first rw,nosuid,nodev,noexec,relatime master:2 - proc none rw 29 25 0:17 / /sys rw,relatime - sysfs first rw Terminal #1: # ip netns add second Terminal #1: # tree --inodes /var/run/netns ; echo "=====" ; ls -li /var/run/netns ; echo "====="; cat /proc/self/mounts | grep first ; echo "=====" ; cat /proc/self/mountinfo | grep -e first -e second /var/run/netns ├── [ 5204] first └── [ 5236] second 0 directories, 2 files ===== total 0 5204 -r-------- 1 root root 0 Nov 11 17:17 first 5236 -r-------- 1 root root 0 Nov 11 17:21 second <<< observe this inode # and permissions ===== none /var/run/netns/first proc rw,nosuid,nodev,noexec,relatime 0 0 first /sys sysfs rw,relatime 0 0 ===== 33 32 0:3 /1935/ns/net /var/run/netns/first rw,nosuid,nodev,noexec,relatime shared:4 master:2 - proc none rw 29 25 0:17 / /sys rw,relatime - sysfs first rw 34 32 0:3 /1955/ns/net /var/run/netns/second rw,nosuid,nodev,noexec,relatime shared:5 - proc none rw Terminal #2--in main (not in netns): # tree --inodes /var/run/netns ; echo "=====" ; ls -li /var/run/netns ; echo "====="; cat /proc/self/mounts | grep first ; echo "=====" ; cat /proc/self/mountinfo | grep -e first -e second /var/run/netns ├── [ 5204] first └── [ 51492] second <<< inode is different 0 directories, 2 files ===== total 0 5204 -r-------- 1 root root 0 Nov 11 17:17 first 51492 ---------- 1 root root 0 Nov 11 17:21 second << inode different with NULL permissions ===== none /var/run/netns/first proc rw,nosuid,nodev,noexec,relatime 0 0 ===== 23 22 0:3 /1935/ns/net /var/run/netns/first rw,nosuid,nodev,noexec,relatime shared:2 - proc none rw => When in main (not in netns) "second" netns is not viewable. Terminal #2--Enter first: # ip netns exec first bash Terminal #2: # tree --inodes /var/run/netns ; echo "=====" ; ls -li /var/run/netns ; echo "====="; cat /proc/self/mounts | grep first ; echo "=====" ; cat /proc/self/mountinfo | grep -e first -e second /var/run/netns ├── [ 5204] first └── [ 51492] second <<< inode different then when created from first in Terminal #1 above 0 directories, 2 files ===== total 0 5204 -r-------- 1 root root 0 Nov 11 17:17 first 51492 ---------- 1 root root 0 Nov 11 17:21 second <<< inode with NULL permissions ===== none /var/run/netns/first proc rw,nosuid,nodev,noexec,relatime 0 0 first /sys sysfs rw,relatime 0 0 ===== 44 43 0:3 /1935/ns/net /var/run/netns/first rw,nosuid,nodev,noexec,relatime master:2 - proc none rw 40 36 0:17 / /sys rw,relatime - sysfs first rw => mounts and mountinfo does not show "second" Terminal #2: # ip netns exec second /bin/bash seting the network namespace "second" failed: Invalid argument => "second" netns is now rendered unusable from "first" netns and from main. Thanks, -DilipD. > > Eric -- -DilipD. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists