| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Sep 2017 23:02:14 +0200 From: "Jason A. Donenfeld" <Jason@...c4.com> To: Cong Wang <xiyou.wangcong@...il.com> Cc: Netdev <netdev@...r.kernel.org>, Mathias <mathias@...l-andersen.dk> Subject: Re: cross namespace interface notification for tun devices On Tue, Sep 19, 2017 at 10:40 PM, Cong Wang <xiyou.wangcong@...il.com> wrote: > By "notification" I assume you mean netlink notification. Yes, netlink notification. > The question is why does the process in A still care about > the device sitting in B? > > Also, the process should be able to receive a last notification > on IFF_UP|IFF_RUNNING before device is finally moved to B. > After this point, it should not have any relation to netns A > any more, like the device were completely gone. That's very clearly not the case with a tun device. Tun devices work by letting a userspace process control the inputs (ndo_start_xmit) and outputs (netif_rx) of the actual network device. This controlling userspace process needs to know when its own interface that it controls goes up and down. In the kernel, we can do this by just checking dev->flags&IFF_UP, and receive notifications on ndo_open and ndo_stop. In userspace, the controlling process looses the ability to receive notifications like ndo_open/ndo_stop when the interface is moved to a new namespace. After the interface is moved to a namespace, the process will still control inputs and ouputs (ndo_start_xmit and netif_rx), but it will no longer receive netlink notifications for the equivalent of ndo_open and ndo_stop. This is problematic.
Powered by blists - more mailing lists