lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 24 Feb 2016 16:05:10 -0600
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	David Miller <davem@...emloft.net>
Cc:	khlebnikov@...dex-team.ru, netdev@...r.kernel.org,
	containers@...ts.linux-foundation.org, vvs@...tuozzo.com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ipv4: in new netns initialize sysctls in net.ipv4.conf.* with defaults

David Miller <davem@...emloft.net> writes:

> From: Konstantin Khlebnikov <khlebnikov@...dex-team.ru>
> Date: Sun, 21 Feb 2016 10:11:02 +0300
>
>> Currently initial net.ipv4.conf.all.* and net.ipv4.conf.default.* are
>> copied from init network namespace because static structures are used
>> for init_net. This makes no sense because new netns might be created
>> from any netns. This patch makes private copy also for init netns if
>> network namespaces are enabled. Other sysctls in net.ipv4 and net.ipv6
>> already initialized with default values at namespace creation.
>> 
>> Signed-off-by: Konstantin Khlebnikov <khlebnikov@...dex-team.ru>
>> Fixes: 752d14dc6aa9 ("[IPV4]: Move the devinet pointers on the struct net")
>
> The horse has long left the stable on this.  We cannot change this now
> without breaking things.
>
> Imagine someone who intentionally sets up init_net with a certain set
> of settings and expects them to propagate into every created namespace.
>
> We'll break things for them and given the behavior existed for so long
> what the administrator is doing is very reasonable.
>
> I'm not applying this sorry, we are stuck with the current behavior
> whether we like it or not.

Dave I won't argue that the patch reaches the proper trade-off with
existing software.  Certainly the lack of testing and other exploration
in this regard with the submitted patch is concerning.

In the general case the current behavior is random and not something
applications can count on, and we would do well to fix it so it is less
random.  In particular consider the case of an application in a
non-initial network namespace creating a new network namespace.  It is
not even possible to predict what values they will get for sysctls
today.

>From a backwards compatibility standpoint we are probably better off
with copying from the current network namespace rather than the initial
network namespace.  As that more closely resembles the common case
today.

Having a statement of something that is a problem today with the
existing setup would probably be useful so it is clear this is not a
change for the sake of change.

Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ