From: Evgeniy Polyakov <zbr@ioremap.net>
To: "ebiederm@xmission.com" <ebiederm@xmission.com>,
Matt Bennett <matt.bennett@alliedtelesis.co.nz>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"containers@lists.linux-foundation.org"
<containers@lists.linux-foundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 0/5] RFC: connector: Add network namespace awareness
Date: Thu, 10 Sep 2020 18:04:56 +0300 [thread overview]
Message-ID: <74141599750086@mail.yandex.ru> (raw)
In-Reply-To: <87lfjn9s3v.fsf@x220.int.ebiederm.org>
Hi everyone
Â
13.07.2020, 21:42, "Eric W. Biederman" <ebiederm@xmission.com>:
Â
 Which means an unprivileged user can create a user namespace and
get
 connector to report whichever ids they want to users in another
 namespace. AKA lie.
Â
 So this appears to make connector completely unreliable.
Â
Â
My sense is that there are few enough uses of connector that if
don't
mind changing your code so that it works in a container (and the
pidfd
support appears to already provide what you need) that is probably
the
past of least resistance.
I don't think it maintaining connector support would be much more
work
than it is now, if someone went through and did the work to
carefully
convert the code. So if someone really wants to use connector we can
namespace the code.
Otherwise it is probably makes sense to let the few users gradually
stop
using connector so the code can eventually be removed.
Â
Such a nice bright future for connector you depict here disregarding
others work
and this contribution Eric :)
Â
If we can overcome showed above issue with invalid ids, connector still
can get a few more years to live,
don't you want to give it a chance?
Â
Please checkout out the pidfd support and tell us how it meets your
needs. If there is something that connector really does better it
would
be good to know.
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
prev parent reply other threads:[~2020-09-10 15:06 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-02 0:26 [PATCH 0/5] RFC: connector: Add network namespace awareness Matt Bennett
2020-07-02 0:26 ` [PATCH 1/5] connector: Use task pid helpers Matt Bennett
2020-07-02 0:26 ` [PATCH 2/5] connector: Use 'current_user_ns' function Matt Bennett
2020-07-02 0:26 ` [PATCH 3/5] connector: Ensure callback entry is released Matt Bennett
2020-07-02 0:26 ` [PATCH 4/5] connector: Prepare for supporting multiple namespaces Matt Bennett
2020-07-02 0:26 ` [PATCH 5/5] connector: Create connector per namespace Matt Bennett
2020-07-02 5:52 ` kernel test robot
2020-07-02 5:52 ` kernel test robot
2020-07-02 6:40 ` kernel test robot
2020-07-02 6:40 ` kernel test robot
2020-07-02 14:32 ` Dan Carpenter
2020-07-02 14:32 ` [kbuild] " Dan Carpenter
2020-07-02 14:32 ` Dan Carpenter
2020-07-02 13:17 ` [PATCH 0/5] RFC: connector: Add network namespace awareness Eric W. Biederman
2020-07-02 19:10 ` Christian Brauner
2020-07-02 22:44 ` Aleksa Sarai
2020-07-05 22:32 ` Matt Bennett
2020-07-13 18:34 ` Eric W. Biederman
2020-07-14 5:03 ` Aleksa Sarai
2020-07-14 5:19 ` Matt Bennett
2020-07-02 18:59 ` Eric W. Biederman
2020-07-05 22:31 ` Matt Bennett
2020-07-13 18:39 ` Eric W. Biederman
2020-09-10 15:04 ` Evgeniy Polyakov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74141599750086@mail.yandex.ru \
--to=zbr@ioremap.net \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=matt.bennett@alliedtelesis.co.nz \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.