lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 23 Apr 2019 12:18:17 +0800
From:   Hangbin Liu <liuhangbin@...il.com>
To:     Miroslav Lichvar <mlichvar@...hat.com>
Cc:     Richard Cochran <richardcochran@...il.com>,
        Jiri Benc <jbenc@...hat.com>, netdev@...r.kernel.org,
        David Miller <davem@...emloft.net>,
        Patrick McHardy <kaber@...sh.net>,
        stefan.sorensen@...ctralink.com
Subject: Re: [PATCH net-next] macvlan: pass get_ts_info and SIOC[SG]HWTSTAMP
 ioctl to real device

Hi Miroslav,
On Thu, Apr 18, 2019 at 10:05:09AM +0200, Miroslav Lichvar wrote:
> > So I guess the macvlan should reject SIOCSHWTSTAMP but allow
> > SIOCGHWTSTAMP.
> 
> FWIW, my suggestion was to limit what the SIOCSHWTSTAMP ioctl can do
> on the virtual interface. It could only enable HW timestamping or

I think this is not enough as user could enable HWTSTAMP_FILTER_NONE.

> select a more general filter. A container could run a PTP clock if it

Do you have an idea about how to select a general filter? If we have enabled
HWTSTAMP_FILTER_PTP_V2_L4_SYNC on host and a user in container want to enable
HWTSTAMP_FILTER_PTP_V2_L4_DELAY_REQ, then which one is more general?

> had also access to the PHC device, or it could have the NET_ADMIN
> capability for other reasons, but it couldn't disable HW timestamping
> enabled by the host or other container.
> 
> If I understand it correctly, even without this ioctl a container can
> prevent the host or other containers from getting some of the HW
> timestamps by requesting TX timestamps at a high rate. I suspect the

Could traffic sharping/limitation fix it?

> timestamping would need to be restricted to the real interface to
> fully protect it from applications having access to the virtual
> interfaces.

Thanks
Hangbin

Powered by blists - more mailing lists