Matt Bennett <matt.bennett@xxxxxxxxxxxxxxxxxxx> writes: > Previously the connector functionality could only be used by processes running in the > default network namespace. This meant that any process that uses the connector functionality > could not operate correctly when run inside a container. This is a draft patch series that > attempts to now allow this functionality outside of the default network namespace. > > I see this has been discussed previously [1], but am not sure how my changes relate to all > of the topics discussed there and/or if there are any unintended side > effects from my draft In a quick skim this patchset does not look like it approaches a correct conversion to having code that works in multiple namespaces. I will take the changes to proc_id_connector for example. You report the values in the callers current namespaces. Which means an unprivileged user can create a user namespace and get connector to report whichever ids they want to users in another namespace. AKA lie. So this appears to make connector completely unreliable. Eric > changes. > > Thanks. > > [1] https://marc.info/?l=linux-kernel&m=150806196728365&w=2 > > Matt Bennett (5): > connector: Use task pid helpers > connector: Use 'current_user_ns' function > connector: Ensure callback entry is released > connector: Prepare for supporting multiple namespaces > connector: Create connector per namespace > > Documentation/driver-api/connector.rst | 6 +- > drivers/connector/cn_proc.c | 110 +++++++------- > drivers/connector/cn_queue.c | 9 +- > drivers/connector/connector.c | 192 ++++++++++++++++++++----- > drivers/hv/hv_fcopy.c | 1 + > drivers/hv/hv_utils_transport.c | 6 +- > drivers/md/dm-log-userspace-transfer.c | 6 +- > drivers/video/fbdev/uvesafb.c | 8 +- > drivers/w1/w1_netlink.c | 19 +-- > include/linux/connector.h | 38 +++-- > include/net/net_namespace.h | 4 + > kernel/exit.c | 2 +- > samples/connector/cn_test.c | 6 +- > 13 files changed, 286 insertions(+), 121 deletions(-) _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
