| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aS/Nk8ujLJttzKNo@pop-os.localdomain> Date: Tue, 2 Dec 2025 21:41:39 -0800 From: Cong Wang <xiyou.wangcong@...il.com> To: Jakub Kicinski <kuba@...nel.org> Cc: netdev@...r.kernel.org, stephen@...workplumber.org, Cong Wang <cwang@...tikernel.io> Subject: Re: [Patch net v5 4/9] net_sched: Prevent using netem duplication in non-initial user namespace On Mon, Dec 01, 2025 at 04:25:24PM -0800, Jakub Kicinski wrote: > On Wed, 26 Nov 2025 11:52:39 -0800 Cong Wang wrote: > > The netem qdisc has a known security issue with packet duplication > > that makes it unsafe to use in unprivileged contexts. While netem > > typically requires CAP_NET_ADMIN to load, users with "root" privileges > > inside a user namespace also have CAP_NET_ADMIN within that namespace, > > allowing them to potentially exploit this feature. > > > > To address this, we need to restrict the netem duplication to only the > > initial user namespace. > > What gives us the confidence that this won't break existing setups? > Pretty sure we use user ns at Meta, tho not sure if any of our > workloads uses both those and netem dup. All the reports (https://bugzilla.kernel.org/show_bug.cgi?id=220774) we had so far didn't mention user namespace. This is the only data point I have. I can drop this patch, but I am not sure if patch 3/9 is sufficient to convince Will on user namespace security. Regards, Cong
Powered by blists - more mailing lists