lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAF2d9jjsRXnuPz3WKSRZK5ctj_c2BMBcWfiWbe4vxesGA8fNgg@mail.gmail.com>
Date:   Wed, 5 Jul 2017 16:01:55 -0700
From:   Mahesh Bandewar (महेश बंडेवार) 
        <maheshb@...gle.com>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>,
        David Miller <davem@...emloft.net>,
        Cong Wang <xiyou.wangcong@...il.com>
Cc:     mahesh@...dewar.net, jmorris@...ei.org, yoshfuji@...ux-ipv6.org,
        kaber@...sh.net, Eric Dumazet <edumazet@...gle.com>,
        linux-netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH 0/2] bring UP loopback device at initialziation

> I wonder if it is too late to change this since this behavior is probably
> from the beginning of network namespace. A networkless netns is also
> useful at least for testing purpose, we do use it as a sandbox.
>
Sandbox is my use case too but i'm worried about all other things that
a process inside that namespace can do (tasks' capability mask) and
want to eliminate a need to have a capability just to bing-up the
loopback device (more in the commit message update)


> If you can please include the analysis that describes why no one will
> care. Especially applications such as vsftpd that create network
> namespaces as a way to sandbox themselves and not have a network stack
> available.
>
Well, I wasn't sure hence probed with the RFC patch.
I'm not familiar with the vsftpd use-case but I assume it's expecting
a loopback device to be in DOWN state.

Now that you have made me aware of some use cases that do want the
loopback device to be DOWN, could we use a global sysctl to dictate
the loopback behavior during init? e.g.

net.core.netdev_loopback_state = {0|1}

    where 0: is current behavior i.e. DOWN by default.
               1: is the proposed new behavior i.e. UP by default.

We can keep the default value of this sysctl to be '1' so that when a
host boots, the loopback is UP by default.
 In a running system that prefers the loopback device to come up in
DOWN state for the namespaces, can change the value of this sysctl to
'0' so every namespace creation will come-up with loopback in DOWN
state. Or we could reverse the behavior by changing the default value
of this sysctl (to '0').

Thanks,
--mahesh..

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ