On Tue, Mar 02, 2021 at 09:47:10AM +0000, Lorenz Bauer wrote: > On Mon, 1 Mar 2021 at 10:04, Christian Brauner > <christian.brauner@xxxxxxxxxx> wrote: > > > > Hey Lorenz, > > > > Just to make sure: is it intentional that any user can retrieve the > > cookie associated with any network namespace, i.e. you don't require any > > form of permission checking in the owning user namespace of the network > > namespace? > > > > Christian > > Hi Christian, > > I've decided to drop the patch set for now, but that was my intention, yes. Is > there a downside I'm not aware of? It depends on whether this cookie is in any way security or at least information sensitive. For example, would leaking it between unprivileged containers with different user+network namespace pairs allow one container to gain access to information about the other container that it shouldn't. Christian
