| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <k4tqyp7wlnbmcntmvzp7oawacfofnnzdi5cjwlj6djxtlo6xai@44ivtv4kgjz2> Date: Mon, 27 Oct 2025 14:28:31 +0100 From: Stefano Garzarella <sgarzare@...hat.com> To: Bobby Eshleman <bobbyeshleman@...il.com> Cc: Shuah Khan <shuah@...nel.org>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, Stefan Hajnoczi <stefanha@...hat.com>, "Michael S. Tsirkin" <mst@...hat.com>, Jason Wang <jasowang@...hat.com>, Xuan Zhuo <xuanzhuo@...ux.alibaba.com>, Eugenio Pérez <eperezma@...hat.com>, "K. Y. Srinivasan" <kys@...rosoft.com>, Haiyang Zhang <haiyangz@...rosoft.com>, Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>, Bryan Tan <bryan-bt.tan@...adcom.com>, Vishnu Dasa <vishnu.dasa@...adcom.com>, Broadcom internal kernel review list <bcm-kernel-feedback-list@...adcom.com>, virtualization@...ts.linux.dev, netdev@...r.kernel.org, linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org, kvm@...r.kernel.org, linux-hyperv@...r.kernel.org, berrange@...hat.com, Bobby Eshleman <bobbyeshleman@...a.com> Subject: Re: [PATCH net-next v8 00/14] vsock: add namespace support to vhost-vsock Hi Bobby, On Thu, Oct 23, 2025 at 11:27:39AM -0700, Bobby Eshleman wrote: >This series adds namespace support to vhost-vsock and loopback. It does >not add namespaces to any of the other guest transports (virtio-vsock, >hyperv, or vmci). > >The current revision supports two modes: local and global. Local >mode is complete isolation of namespaces, while global mode is complete >sharing between namespaces of CIDs (the original behavior). > >The mode is set using /proc/sys/net/vsock/ns_mode. > >Modes are per-netns and write-once. This allows a system to configure >namespaces independently (some may share CIDs, others are completely >isolated). This also supports future possible mixed use cases, where >there may be namespaces in global mode spinning up VMs while there are >mixed mode namespaces that provide services to the VMs, but are not >allowed to allocate from the global CID pool (this mode not implemented >in this series). > >If a socket or VM is created when a namespace is global but the >namespace changes to local, the socket or VM will continue working >normally. That is, the socket or VM assumes the mode behavior of the >namespace at the time the socket/VM was created. The original mode is >captured in vsock_create() and so occurs at the time of socket(2) and >accept(2) for sockets and open(2) on /dev/vhost-vsock for VMs. This >prevents a socket/VM connection from suddenly breaking due to a >namespace mode change. Any new sockets/VMs created after the mode change >will adopt the new mode's behavior. > >Additionally, added tests for the new namespace features: > >tools/testing/selftests/vsock/vmtest.sh >1..30 >ok 1 vm_server_host_client >ok 2 vm_client_host_server >ok 3 vm_loopback >ok 4 ns_host_vsock_ns_mode_ok >ok 5 ns_host_vsock_ns_mode_write_once_ok >ok 6 ns_global_same_cid_fails >ok 7 ns_local_same_cid_ok >ok 8 ns_global_local_same_cid_ok >ok 9 ns_local_global_same_cid_ok >ok 10 ns_diff_global_host_connect_to_global_vm_ok >ok 11 ns_diff_global_host_connect_to_local_vm_fails >ok 12 ns_diff_global_vm_connect_to_global_host_ok >ok 13 ns_diff_global_vm_connect_to_local_host_fails >ok 14 ns_diff_local_host_connect_to_local_vm_fails >ok 15 ns_diff_local_vm_connect_to_local_host_fails >ok 16 ns_diff_global_to_local_loopback_local_fails >ok 17 ns_diff_local_to_global_loopback_fails >ok 18 ns_diff_local_to_local_loopback_fails >ok 19 ns_diff_global_to_global_loopback_ok >ok 20 ns_same_local_loopback_ok >ok 21 ns_same_local_host_connect_to_local_vm_ok >ok 22 ns_same_local_vm_connect_to_local_host_ok >ok 23 ns_mode_change_connection_continue_vm_ok >ok 24 ns_mode_change_connection_continue_host_ok >ok 25 ns_mode_change_connection_continue_both_ok >ok 26 ns_delete_vm_ok >ok 27 ns_delete_host_ok >ok 28 ns_delete_both_ok >ok 29 ns_loopback_global_global_late_module_load_ok >ok 30 ns_loopback_local_local_late_module_load_fails >SUMMARY: PASS=30 SKIP=0 FAIL=0 > >Dependent on series: >https://lore.kernel.org/all/20251022-vsock-selftests-fixes-and-improvements-v1-0-edeb179d6463@meta.com/ > >Thanks again for everyone's help and reviews! > >Signed-off-by: Bobby Eshleman <bobbyeshleman@...il.com> >To: Stefano Garzarella <sgarzare@...hat.com> >To: Shuah Khan <shuah@...nel.org> >To: David S. Miller <davem@...emloft.net> >To: Eric Dumazet <edumazet@...gle.com> >To: Jakub Kicinski <kuba@...nel.org> >To: Paolo Abeni <pabeni@...hat.com> >To: Simon Horman <horms@...nel.org> >To: Stefan Hajnoczi <stefanha@...hat.com> >To: Michael S. Tsirkin <mst@...hat.com> >To: Jason Wang <jasowang@...hat.com> >To: Xuan Zhuo <xuanzhuo@...ux.alibaba.com> >To: Eugenio Pérez <eperezma@...hat.com> >To: K. Y. Srinivasan <kys@...rosoft.com> >To: Haiyang Zhang <haiyangz@...rosoft.com> >To: Wei Liu <wei.liu@...nel.org> >To: Dexuan Cui <decui@...rosoft.com> >To: Bryan Tan <bryan-bt.tan@...adcom.com> >To: Vishnu Dasa <vishnu.dasa@...adcom.com> >To: Broadcom internal kernel review list <bcm-kernel-feedback-list@...adcom.com> >Cc: virtualization@...ts.linux.dev >Cc: netdev@...r.kernel.org >Cc: linux-kselftest@...r.kernel.org >Cc: linux-kernel@...r.kernel.org >Cc: kvm@...r.kernel.org >Cc: linux-hyperv@...r.kernel.org >Cc: berrange@...hat.com > >Changes in v8: >- Break generic cleanup/refactoring patches into standalone series, > remove those from this series Yep, thanks for splitting the series. I'll review it ASAP since it's a dependency. I was at GSoC mentor summit last week, so I'm bit busy with the backlog, but I'll do my best to review both series this week. Thanks, Stefano >- Link to dependency: https://lore.kernel.org/all/20251022-vsock-selftests-fixes-and-improvements-v1-0-edeb179d6463@meta.com/ >- Link to v7: https://lore.kernel.org/r/20251021-vsock-vmtest-v7-0-0661b7b6f081@meta.com > >Changes in v7: >- fix hv_sock build >- break out vmtest patches into distinct, more well-scoped patches >- change `orig_net_mode` to `net_mode` >- many fixes and style changes in per-patch change sets (see individual > patches for specific changes) >- optimize `virtio_vsock_skb_cb` layout >- update commit messages with more useful descriptions >- vsock_loopback: use orig_net_mode instead of current net mode >- add tests for edge cases (ns deletion, mode changing, loopback module > load ordering) >- Link to v6: https://lore.kernel.org/r/20250916-vsock-vmtest-v6-0-064d2eb0c89d@meta.com > >Changes in v6: >- define behavior when mode changes to local while socket/VM is alive >- af_vsock: clarify description of CID behavior >- af_vsock: use stronger langauge around CID rules (dont use "may") >- af_vsock: improve naming of buf/buffer >- af_vsock: improve string length checking on proc writes >- vsock_loopback: add space in struct to clarify lock protection >- vsock_loopback: do proper cleanup/unregister on vsock_loopback_exit() >- vsock_loopback: use virtio_vsock_skb_net() instead of sock_net() >- vsock_loopback: set loopback to NULL after kfree() >- vsock_loopback: use pernet_operations and remove callback mechanism >- vsock_loopback: add macros for "global" and "local" >- vsock_loopback: fix length checking >- vmtest.sh: check for namespace support in vmtest.sh >- Link to v5: https://lore.kernel.org/r/20250827-vsock-vmtest-v5-0-0ba580bede5b@meta.com > >Changes in v5: >- /proc/net/vsock_ns_mode -> /proc/sys/net/vsock/ns_mode >- vsock_global_net -> vsock_global_dummy_net >- fix netns lookup in vhost_vsock to respect pid namespaces >- add callbacks for vsock_loopback to avoid circular dependency >- vmtest.sh loads vsock_loopback module >- remove vsock_net_mode_can_set() >- change vsock_net_write_mode() to return true/false based on success >- make vsock_net_mode enum instead of u8 >- Link to v4: https://lore.kernel.org/r/20250805-vsock-vmtest-v4-0-059ec51ab111@meta.com > >Changes in v4: >- removed RFC tag >- implemented loopback support >- renamed new tests to better reflect behavior >- completed suite of tests with permutations of ns modes and vsock_test > as guest/host >- simplified socat bridging with unix socket instead of tcp + veth >- only use vsock_test for success case, socat for failure case (context > in commit message) >- lots of cleanup > >Changes in v3: >- add notion of "modes" >- add procfs /proc/net/vsock_ns_mode >- local and global modes only >- no /dev/vhost-vsock-netns >- vmtest.sh already merged, so new patch just adds new tests for NS >- Link to v2: > https://lore.kernel.org/kvm/20250312-vsock-netns-v2-0-84bffa1aa97a@gmail.com > >Changes in v2: >- only support vhost-vsock namespaces >- all g2h namespaces retain old behavior, only common API changes > impacted by vhost-vsock changes >- add /dev/vhost-vsock-netns for "opt-in" >- leave /dev/vhost-vsock to old behavior >- removed netns module param >- Link to v1: > https://lore.kernel.org/r/20200116172428.311437-1-sgarzare@redhat.com > >Changes in v1: >- added 'netns' module param to vsock.ko to enable the > network namespace support (disabled by default) >- added 'vsock_net_eq()' to check the "net" assigned to a socket > only when 'netns' support is enabled >- Link to RFC: https://patchwork.ozlabs.org/cover/1202235/ > >--- >Bobby Eshleman (14): > vsock: a per-net vsock NS mode state > vsock/virtio: pack struct virtio_vsock_skb_cb > vsock: add netns to vsock skb cb > vsock: add netns to vsock core > vsock/loopback: add netns support > vsock/virtio: add netns to virtio transport common > vhost/vsock: add netns support > selftests/vsock: add namespace helpers to vmtest.sh > selftests/vsock: prepare vm management helpers for namespaces > selftests/vsock: add tests for proc sys vsock ns_mode > selftests/vsock: add namespace tests for CID collisions > selftests/vsock: add tests for host <-> vm connectivity with namespaces > selftests/vsock: add tests for namespace deletion and mode changes > selftests/vsock: add tests for module loading order > > MAINTAINERS | 1 + > drivers/vhost/vsock.c | 48 +- > include/linux/virtio_vsock.h | 47 +- > include/net/af_vsock.h | 70 ++- > include/net/net_namespace.h | 4 + > include/net/netns/vsock.h | 22 + > net/vmw_vsock/af_vsock.c | 264 +++++++- > net/vmw_vsock/virtio_transport.c | 7 +- > net/vmw_vsock/virtio_transport_common.c | 21 +- > net/vmw_vsock/vsock_loopback.c | 89 ++- > tools/testing/selftests/vsock/vmtest.sh | 1044 ++++++++++++++++++++++++++++++- > 11 files changed, 1532 insertions(+), 85 deletions(-) >--- >base-commit: 962ac5ca99a5c3e7469215bf47572440402dfd59 >change-id: 20250325-vsock-vmtest-b3a21d2102c2 >prerequisite-message-id: <20251022-vsock-selftests-fixes-and-improvements-v1-0-edeb179d6463@...a.com> >prerequisite-patch-id: a2eecc3851f2509ed40009a7cab6990c6d7cfff5 >prerequisite-patch-id: 501db2100636b9c8fcb3b64b8b1df797ccbede85 >prerequisite-patch-id: ba1a2f07398a035bc48ef72edda41888614be449 >prerequisite-patch-id: fd5cc5445aca9355ce678e6d2bfa89fab8a57e61 >prerequisite-patch-id: 795ab4432ffb0843e22b580374782e7e0d99b909 >prerequisite-patch-id: 1499d263dc933e75366c09e045d2125ca39f7ddd >prerequisite-patch-id: f92d99bb1d35d99b063f818a19dcda999152d74c >prerequisite-patch-id: e3296f38cdba6d903e061cff2bbb3e7615e8e671 >prerequisite-patch-id: bc4662b4710d302d4893f58708820fc2a0624325 >prerequisite-patch-id: f8991f2e98c2661a706183fde6b35e2b8d9aedcf >prerequisite-patch-id: 44bf9ed69353586d284e5ee63d6fffa30439a698 >prerequisite-patch-id: d50621bc630eeaf608bbaf260370c8dabf6326df > >Best regards, >-- >Bobby Eshleman <bobbyeshleman@...a.com> >
Powered by blists - more mailing lists