lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 10 Oct 2023 21:51:24 +0000
From: David Laight <David.Laight@...LAB.COM>
To: "'Eric W. Biederman'" <ebiederm@...ssion.com>
CC: Toke Høiland-Jørgensen <toke@...hat.com>, "David
 Ahern" <dsahern@...il.com>, Stephen Hemminger <stephen@...workplumber.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>, Nicolas Dichtel
	<nicolas.dichtel@...nd.com>, Christian Brauner <brauner@...nel.org>
Subject: RE: [RFC PATCH iproute2-next 0/5] Persisting of mount namespaces
 along with network namespaces

From: Eric W. Biederman
> Sent: 10 October 2023 20:33
> 
> David Laight <David.Laight@...LAB.COM> writes:
> 
> > From: Eric W. Biederman
> >> Sent: 09 October 2023 21:33
> >>
...
> > When I was getting a program to run in multiple network namespaces
> > (has sockets in 2 namespaces) I rather expected that netns(net_ns_fd,0)
> > would 'magically' change /proc/net to refer to the new namespace.
> > I think that could be done in the code that follows the /proc/net
> > mountpoint - IIRC something similar is done for /proc/self.
> 
> /proc/self/net does follow your current network namespace last I looked.
> 
> Of course if you are threaded you may need to look at
> /proc/thread-self/net as your network namespace is per thread.

Yes, I remember that now, and /proc/net is the wrong symlink.


> It is also quite evil.  The problem is that having different entries
> cached under the same name is a major mess.  Ever since I made that
> mistake I have been aiming at designs that don't fight the dcache.
> 
> Even in that case I think I limited it to just a entry where
> ugliness happens.

It is nice from a user point of view...

I'd guess a 'magic symlink' that points off somewhere fixed
would be a little cleaner.

> > However that would need flags to both setns() and 'ip netns exec'
> > since programs will rely on the existing behaviour.
> 
> You might want to look again.

The problem was with /sys/class/net

I ended up doing:
	ip netns exec fubar program args 3</sys/class/net

So that open("/sys/class/net/xxx") was inside the fubar namespace
and openat(3, "xxx") was in the default namespace.

But I think:
> On "ip netns add NAME"
> - create the network namespace and mount it at /run/netns/NAME
> - mount the appropriate sysfs at /run/netns-mounts/NAME/sys
> - mount the appropriate bpffs at /run/netns-mounts/NAME/sys/fs/bpf

would make it possible for a program to read (eg)
/sys/class/net/interface/speed for interfaces in multiple
network namespaces.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ