On Tue, Aug 11, 2015 at 05:27:17AM -0600, Wan, Kaike wrote: > > From: linux-rdma-owner@xxxxxxxxxxxxxxx [mailto:linux-rdma- > > owner@xxxxxxxxxxxxxxx] On Behalf Of Jason Gunthorpe > > Sent: Tuesday, August 11, 2015 1:38 AM > > To: Weiny, Ira > > Cc: Haggai Eran; dledford@xxxxxxxxxx; linux-rdma@xxxxxxxxxxxxxxx > > Subject: Re: [PATCH] IB/sa: Restrict SA Netlink to admin users > > > > On Mon, Aug 10, 2015 at 05:58:30PM -0400, ira.weiny wrote: > > > > > Furthermore, the check in netlink_bind also uses the socket namespace > > > to restrict the use of multicast. This plus my checks should allow an > > > admin to place the SA proxy (ibacm in our test cases) in an alternate > > > network namespace if they so desire. But this is independent to the > > > namespace which may be used for data applications. > > > > I think Haggai is on to something, there is certainly a problem here, that > > netlink_bind will let a namespace subscribe is a certainly a problem for what > > Haggai is working on. > > > > For now, I think, only root (or CAP_ whatever) in the init namespace should > > have access to this feature. Not sure how to check that. > > netlink_capable(skb, CAP_NET_ADMIN) will do the trick. For these calls yes. For the bind call I think we need to investigate more. Ira -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html