lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 21 Aug 2020 14:25:20 -0700
From:   Maciej ┼╗enczykowski <maze@...gle.com>
To:     David Miller <davem@...emloft.net>
Cc:     Mahesh Bandewar <maheshb@...gle.com>,
        Linux NetDev <netdev@...r.kernel.org>,
        Jakub Kicinski <kuba@...nel.org>,
        Eric Dumazet <edumazet@...gle.com>, mahesh@...dewar.net,
        jianyang@...gle.com
Subject: Re: [PATCH next] net: add option to not create fall-back tunnels in
 root-ns as well

> > not create fallback tunnels for non-default namespaces") to create
> > fall-back only in root-ns. This patch enhances that behavior to provide
> > option not to create fallback tunnels in root-ns as well. Since modules
> > that create fallback tunnels could be built-in and setting the sysctl
> > value after booting is pointless, so added a config option which defaults
> > to zero (to preserve backward compatibility) but also takes values "1" and
> > "2" which don't create fallback tunnels in non-root namespaces
> > only and no-where respectively.
> >
> > Signed-off-by: Mahesh Bandewar <maheshb@...gle.com>
>  ...
> > +config SYSCTL_FB_TUNNEL
>  ...
> > -int sysctl_fb_tunnels_only_for_init_net __read_mostly = 0;
> > +int sysctl_fb_tunnels_only_for_init_net __read_mostly = CONFIG_SYSCTL_FB_TUNNEL;
>
> I can't allow this.  This requires a kernel rebuild when none is
> really necessary.  You're also forcing distributions to make a choice
> they have no place making at all.
>
> You have two ways to handle this situation already:
>
> 1) Kernel command line
>
> 2) initrd
>
> I'm not allowing to add a third.  And if I had, then that sets
> precedence and others will want to do this as well for their
> favorite sysctl that has implications as soon as modules get
> loaded.

I don't think initrd works for things built into the kernel,
since it runs too late - after kernel init is done.
So only the kernel command line method is viable.

If no kernel command line option is specified, should the default
be to maintain compatibility, or do you think it's okay to make
the default be no extra interfaces?  They can AFAICT always be added
manually via 'ip link add' netlink commands.

Powered by blists - more mailing lists