From: Michael J Coss <michael.coss@alcatel-lucent.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: gregkh@linuxfoundation.org, davem@davemloft.net,
linux-kernel@vger.kernel.org,
containers@lists.linuxcontainers.org, serge.hallyn@ubuntu.com,
stgraber@ubuntu.com
Subject: Re: [PATCH 1/3] lib/kobject_uevent.c: disable broadcast of uevents to other namespaces
Date: Fri, 11 Sep 2015 14:21:13 -0400 [thread overview]
Message-ID: <55F31B99.2020907@alcatel-lucent.com> (raw)
In-Reply-To: <87zj0tyeq3.fsf@x220.int.ebiederm.org>
On 9/10/2015 8:36 PM, Eric W. Biederman wrote:
> "Michael J. Coss" <michael.coss@alcatel-lucent.com> writes:
>
>> Restrict sending uevents to only those listeners operating in the same
>> network namespace as the system init process. This is the first step
>> toward allowing policy control of the forwarding of events to other
>> namespaces in userspace.
> This limitation whould be better if we only skipped network namespaces
> where you are sending spoofed uevents.
>
> As it sits this has the possibility to break userspace.
>
> Eric
>
While I don't necessarily see how this could cause an issue with
userspace, I agree that it could be made to work that way and accomplish
the same goal and be even more transparent. I would think that it would
require some state in the network namespace that would be settable to
say enable/disable host uevent broadcasts across this particular netlink
socket.
---Michael J Coss
next prev parent reply other threads:[~2015-09-11 18:21 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-09 2:10 [PATCH 0/3] kobject: support namespace aware udev Michael J. Coss
2015-09-09 2:10 ` [PATCH 1/3] lib/kobject_uevent.c: disable broadcast of uevents to other namespaces Michael J. Coss
2015-09-11 0:36 ` Eric W. Biederman
2015-09-11 18:21 ` Michael J Coss [this message]
[not found] ` <51c185b6fa89f0b8e9e7dcaffb3c21c975c84302.1441762578.git.michael.coss-cfy2TCaE7SFv+uJa97DSA9BPR1lH4CV8@public.gmane.org>
2015-10-02 17:40 ` Oren Laadan
2015-09-09 2:10 ` [PATCH 2/3] lib/kobject_uevent.c: add uevent forwarding function Michael J. Coss
2015-09-09 3:55 ` Greg KH
[not found] ` <20150909035527.GB5153-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2015-09-09 19:24 ` Michael J Coss
2015-09-09 19:24 ` Michael J Coss
[not found] ` <55F0875C.6060108-cfy2TCaE7SFv+uJa97DSA9BPR1lH4CV8@public.gmane.org>
2015-09-09 20:11 ` Greg KH
2015-09-09 20:11 ` Greg KH
[not found] ` <20150909201123.GC9328-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2015-09-10 5:43 ` Amir Goldstein
2015-09-10 5:43 ` Amir Goldstein
[not found] ` <CAA2m6vcnUz4EeS-FH2P=GjKSquXit=j1NE5Yut8_baLA+TvjJA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-09-10 5:58 ` Greg KH
2015-09-10 5:58 ` Greg KH
2015-09-11 0:54 ` Eric W. Biederman
2015-09-11 18:43 ` [COMMERCIAL] " Michael J Coss
[not found] ` <3456750fe7a5a5eb709e315618facf5704cc1885.1441762578.git.michael.coss-cfy2TCaE7SFv+uJa97DSA9BPR1lH4CV8@public.gmane.org>
2015-10-02 18:00 ` Oren Laadan
[not found] ` <CAA4jN2br76atf9UuOhJVcoQPZ6GMN91Mk1GsoXcVFC-eFvFafA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-10-14 3:40 ` Oren Laadan
2015-09-09 2:10 ` [PATCH 3/3] net/udevns: Netlink module to forward uevent to containers Michael J. Coss
2015-09-11 1:05 ` Eric W. Biederman
2015-09-11 19:01 ` Michael J Coss
2015-09-09 3:54 ` [PATCH 0/3] kobject: support namespace aware udev Greg KH
2015-09-09 19:05 ` Michael J Coss
2015-09-09 20:09 ` Greg KH
2015-09-09 20:16 ` Michael J Coss
2015-09-09 20:28 ` Greg KH
2015-09-09 20:55 ` [COMMERCIAL] " Michael J Coss
2015-09-10 5:21 ` Greg KH
[not found] ` <cover.1441762578.git.michael.coss-cfy2TCaE7SFv+uJa97DSA9BPR1lH4CV8@public.gmane.org>
2015-09-09 18:53 ` [PATCH 1/3] lib/kobject_uevent.c: disable broadcast of uevents to other namespaces Michael J. Coss
2015-09-09 18:53 ` [PATCH 2/3] lib/kobject_uevent.c: add uevent forwarding function Michael J. Coss
2015-09-09 18:53 ` [PATCH 3/3] net/udevns: Netlink module to forward uevent to containers Michael J. Coss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55F31B99.2020907@alcatel-lucent.com \
--to=michael.coss@alcatel-lucent.com \
--cc=containers@lists.linuxcontainers.org \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serge.hallyn@ubuntu.com \
--cc=stgraber@ubuntu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.