From: Miroslav Lichvar <mlichvar@redhat.com>
To: Richard Cochran <richardcochran@gmail.com>
Cc: Jiri Benc <jbenc@redhat.com>, Hangbin Liu <liuhangbin@gmail.com>,
netdev@vger.kernel.org, David Miller <davem@davemloft.net>,
Patrick McHardy <kaber@trash.net>,
stefan.sorensen@spectralink.com
Subject: Re: [PATCH net-next] macvlan: pass get_ts_info and SIOC[SG]HWTSTAMP ioctl to real device
Date: Thu, 18 Apr 2019 10:05:09 +0200 [thread overview]
Message-ID: <20190418080509.GD5984@localhost> (raw)
In-Reply-To: <20190418033157.irs25halxnemh65y@localhost>
On Wed, Apr 17, 2019 at 08:31:57PM -0700, Richard Cochran wrote:
> On Wed, Apr 17, 2019 at 08:59:58PM +0200, Jiri Benc wrote:
> > The problem here is this patch gives access to physical interface
> > settings through a virtual interface layered on top of it. Whenever
> > such thing is done, the virtual interface needs to provide a suitable
> > way of moderating access to the shared resources, so the individual
> > virtual interfaces do not affect each other. That's not what's being
> > done here.
>
> So I guess the macvlan should reject SIOCSHWTSTAMP but allow
> SIOCGHWTSTAMP.
FWIW, my suggestion was to limit what the SIOCSHWTSTAMP ioctl can do
on the virtual interface. It could only enable HW timestamping or
select a more general filter. A container could run a PTP clock if it
had also access to the PHC device, or it could have the NET_ADMIN
capability for other reasons, but it couldn't disable HW timestamping
enabled by the host or other container.
If I understand it correctly, even without this ioctl a container can
prevent the host or other containers from getting some of the HW
timestamps by requesting TX timestamps at a high rate. I suspect the
timestamping would need to be restricted to the real interface to
fully protect it from applications having access to the virtual
interfaces.
--
Miroslav Lichvar
next prev parent reply other threads:[~2019-04-18 8:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-20 2:23 [PATCH net-next] macvlan: pass get_ts_info and SIOC[SG]HWTSTAMP ioctl to real device Hangbin Liu
2019-03-20 18:05 ` David Miller
2019-04-17 8:05 ` Hangbin Liu
2019-04-17 15:43 ` Richard Cochran
2019-04-17 18:59 ` Jiri Benc
2019-04-18 3:31 ` Richard Cochran
2019-04-18 6:10 ` Hangbin Liu
2019-04-18 8:05 ` Miroslav Lichvar [this message]
2019-04-23 4:18 ` Hangbin Liu
2019-04-23 8:31 ` Miroslav Lichvar
2019-04-23 9:15 ` Hangbin Liu
2019-04-23 9:32 ` Miroslav Lichvar
2019-04-25 13:40 ` Hangbin Liu
2019-05-06 7:34 ` Hangbin Liu
2019-05-06 14:01 ` Richard Cochran
2019-05-07 8:35 ` Miroslav Lichvar
2019-05-08 1:41 ` Hangbin Liu
2019-05-08 13:58 ` Michal Kubecek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190418080509.GD5984@localhost \
--to=mlichvar@redhat.com \
--cc=davem@davemloft.net \
--cc=jbenc@redhat.com \
--cc=kaber@trash.net \
--cc=liuhangbin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=richardcochran@gmail.com \
--cc=stefan.sorensen@spectralink.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.