On Tue, Jul 9, 2019 at 4:38 PM Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > On Tue, Jul 09, 2019 at 01:11:24PM +0200, Ondrej Mosnacek wrote: > > Currently, NETLINK_CRYPTO works only in the init network namespace. It > > doesn't make much sense to cut it out of the other network namespaces, > > so do the minor plumbing work necessary to make it work in any network > > namespace. Code inspired by net/core/sock_diag.c. > > > > Tested using kcapi-dgst from libkcapi [1]: > > Before: > > # unshare -n kcapi-dgst -c sha256 </dev/null | wc -c > > libkcapi - Error: Netlink error: sendmsg failed > > libkcapi - Error: Netlink error: sendmsg failed > > libkcapi - Error: NETLINK_CRYPTO: cannot obtain cipher information for hmac(sha512) (is required crypto_user.c patch missing? see documentation) > > 0 > > > > After: > > # unshare -n kcapi-dgst -c sha256 </dev/null | wc -c > > 32 > > > > [1] https://github.com/smuellerDD/libkcapi > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > Should we really let root inside a namespace manipulate crypto > algorithms which are global? I admit I'm not an expert on Linux namespaces, but aren't you confusing network and user namespaces? Unless I'm mistaken, these changes only affect _network_ namespaces (which only isolate the network stuff itself) and the semantics of the netlink_capable(skb, CAP_NET_ADMIN) calls remain unchanged - they check if the opener of the socket has the CAP_NET_ADMIN capability within the global _user_ namespace. > > I think we should only allow the query operations without deeper > surgery. > > Cheers, > -- > Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.