lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251201162524.18c919fd@kernel.org>
Date: Mon, 1 Dec 2025 16:25:24 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: netdev@...r.kernel.org, stephen@...workplumber.org, Cong Wang
 <cwang@...tikernel.io>
Subject: Re: [Patch net v5 4/9] net_sched: Prevent using netem duplication
 in non-initial user namespace

On Wed, 26 Nov 2025 11:52:39 -0800 Cong Wang wrote:
> The netem qdisc has a known security issue with packet duplication
> that makes it unsafe to use in unprivileged contexts. While netem
> typically requires CAP_NET_ADMIN to load, users with "root" privileges
> inside a user namespace also have CAP_NET_ADMIN within that namespace,
> allowing them to potentially exploit this feature.
> 
> To address this, we need to restrict the netem duplication to only the
> initial user namespace.

What gives us the confidence that this won't break existing setups?
Pretty sure we use user ns at Meta, tho not sure if any of our
workloads uses both those and netem dup.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ