> From: linux-rdma-owner@xxxxxxxxxxxxxxx [mailto:linux-rdma- > owner@xxxxxxxxxxxxxxx] On Behalf Of Jason Gunthorpe > Sent: Tuesday, August 11, 2015 1:38 AM > To: Weiny, Ira > Cc: Haggai Eran; dledford@xxxxxxxxxx; linux-rdma@xxxxxxxxxxxxxxx > Subject: Re: [PATCH] IB/sa: Restrict SA Netlink to admin users > > On Mon, Aug 10, 2015 at 05:58:30PM -0400, ira.weiny wrote: > > > Furthermore, the check in netlink_bind also uses the socket namespace > > to restrict the use of multicast. This plus my checks should allow an > > admin to place the SA proxy (ibacm in our test cases) in an alternate > > network namespace if they so desire. But this is independent to the > > namespace which may be used for data applications. > > I think Haggai is on to something, there is certainly a problem here, that > netlink_bind will let a namespace subscribe is a certainly a problem for what > Haggai is working on. > > For now, I think, only root (or CAP_ whatever) in the init namespace should > have access to this feature. Not sure how to check that. netlink_capable(skb, CAP_NET_ADMIN) will do the trick. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html