lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <87d1m0p3ui.fsf@x220.int.ebiederm.org> Date: Tue, 26 Jul 2016 15:00:05 -0500 From: ebiederm@...ssion.com (Eric W. Biederman) To: Andrei Vagin <avagin@...il.com> Cc: Linux Containers <containers@...ts.linux-foundation.org>, Kees Cook <keescook@...omium.org>, netdev@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>, Andy Lutomirski <luto@...capital.net>, Seth Forshee <seth.forshee@...onical.com>, Nikolay Borisov <kernel@...p.com>, Linux API <linux-api@...r.kernel.org>, linux-fsdevel <linux-fsdevel@...r.kernel.org>, Jann Horn <jann@...jh.net> Subject: Re: [PATCH v2 09/10] netns: Add a limit on the number of net namespaces Andrei Vagin <avagin@...il.com> writes: > On Thu, Jul 21, 2016 at 9:40 AM, Eric W. Biederman <ebiederm@...ssion.com> wrote: >> index 2c2eb1b629b1..a489f192d619 100644 >> --- a/net/core/net_namespace.c >> +++ b/net/core/net_namespace.c >> @@ -266,6 +266,16 @@ struct net *get_net_ns_by_id(struct net *net, int id) >> return peer; >> } >> >> +static bool inc_net_namespaces(struct user_namespace *ns) >> +{ >> + return inc_ucount(ns, UCOUNT_NET_NAMESPACES); >> +} >> + >> +static void dec_net_namespaces(struct user_namespace *ns) >> +{ >> + dec_ucount(ns, UCOUNT_NET_NAMESPACES); >> +} >> + >> /* >> * setup_net runs the initializers for the network namespace object. >> */ >> @@ -276,6 +286,9 @@ static __net_init int setup_net(struct net *net, struct user_namespace *user_ns) >> int error = 0; >> LIST_HEAD(net_exit_list); >> >> + if (!inc_net_namespaces(user_ns)) >> + return -ENFILE; > > I think you need to move this check after initilizing net->passive. > When setup_net returns an error, net_drop_ns is called: > Good point. Ouch! > void net_drop_ns(void *p) > { > struct net *ns = p; > if (ns && atomic_dec_and_test(&ns->passive)) > net_free(ns); > } > > Actually, I think it would be better to make this check before > net_alloc(). You are probably right. I seem to be trying to be entirely too clever putting that in setup_net so I can cover the initial network namespace. Which really does not need to be counted. As clearly I also goofed up the decrement on error case as well. Eric
Powered by blists - more mailing lists