From: ebiederm@xmission.com (Eric W. Biederman)
To: David Miller <davem@davemloft.net>
Cc: Serge Hallyn <serue@us.ibm.com>,
Linux Containers <containers@lists.osdl.org>,
Daniel Lezcano <daniel.lezcano@free.fr>,
netdev@vger.kernel.org, Pavel Emelyanov <xemul@parallels.com>
Subject: [PATCH 8/8] af_unix: Allow connecting to sockets in other network namespaces.
Date: Sun, 13 Jun 2010 06:35:48 -0700 [thread overview]
Message-ID: <m11vcbgimj.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <m1hbl7hxo3.fsf@fess.ebiederm.org> (Eric W. Biederman's message of "Sun\, 13 Jun 2010 06\:25\:32 -0700")
Remove the restriction that only allows connecting to a unix domain
socket identified by unix path that is in the same network namespace.
Crossing network namespaces is always tricky and we did not support
this at first, because of a strict policy of don't mix the namespaces.
Later after Pavel proposed this we did not support this because no one
had performed the audit to make certain using unix domain sockets
across namespaces is safe.
What fundamentally makes connecting to af_unix sockets in other
namespaces is safe is that you have to have the proper permissions on
the unix domain socket inode that lives in the filesystem. If you
want strict isolation you just don't create inodes where unfriendlys
can get at them, or with permissions that allow unfriendlys to open
them. All nicely handled for us by the mount namespace and other
standard file system facilities.
I looked through unix domain sockets and they are a very controlled
environment so none of the work that goes on in dev_forward_skb to
make crossing namespaces safe appears needed, we are not loosing
controll of the skb and so do not need to set up the skb to look like
it is comming in fresh from the outside world. Further the fields in
struct unix_skb_parms should not have any problems crossing network
namespaces.
Now that we handle SCM_CREDENTIALS in a way that gives useable values
across namespaces. There does not appear to be any operational
problems with encouraging the use of unix domain sockets across
containers either.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
---
net/unix/af_unix.c | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 78d412a..4aaff40 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -282,7 +282,7 @@ static inline struct sock *unix_find_socket_byname(struct net *net,
return s;
}
-static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i)
+static struct sock *unix_find_socket_byinode(struct inode *i)
{
struct sock *s;
struct hlist_node *node;
@@ -292,9 +292,6 @@ static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i)
&unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {
struct dentry *dentry = unix_sk(s)->dentry;
- if (!net_eq(sock_net(s), net))
- continue;
-
if (dentry && dentry->d_inode == i) {
sock_hold(s);
goto found;
@@ -757,7 +754,7 @@ static struct sock *unix_find_other(struct net *net,
err = -ECONNREFUSED;
if (!S_ISSOCK(inode->i_mode))
goto put_fail;
- u = unix_find_socket_byinode(net, inode);
+ u = unix_find_socket_byinode(inode);
if (!u)
goto put_fail;
--
1.6.5.2.143.g8cc62
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: David Miller <davem@davemloft.net>
Cc: Serge Hallyn <serue@us.ibm.com>,
Linux Containers <containers@lists.osdl.org>,
Daniel Lezcano <daniel.lezcano@free.fr>, <netdev@vger.kernel.org>,
Pavel Emelyanov <xemul@parallels.com>
Subject: [PATCH 8/8] af_unix: Allow connecting to sockets in other network namespaces.
Date: Sun, 13 Jun 2010 06:35:48 -0700 [thread overview]
Message-ID: <m11vcbgimj.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <m1hbl7hxo3.fsf@fess.ebiederm.org> (Eric W. Biederman's message of "Sun\, 13 Jun 2010 06\:25\:32 -0700")
Remove the restriction that only allows connecting to a unix domain
socket identified by unix path that is in the same network namespace.
Crossing network namespaces is always tricky and we did not support
this at first, because of a strict policy of don't mix the namespaces.
Later after Pavel proposed this we did not support this because no one
had performed the audit to make certain using unix domain sockets
across namespaces is safe.
What fundamentally makes connecting to af_unix sockets in other
namespaces is safe is that you have to have the proper permissions on
the unix domain socket inode that lives in the filesystem. If you
want strict isolation you just don't create inodes where unfriendlys
can get at them, or with permissions that allow unfriendlys to open
them. All nicely handled for us by the mount namespace and other
standard file system facilities.
I looked through unix domain sockets and they are a very controlled
environment so none of the work that goes on in dev_forward_skb to
make crossing namespaces safe appears needed, we are not loosing
controll of the skb and so do not need to set up the skb to look like
it is comming in fresh from the outside world. Further the fields in
struct unix_skb_parms should not have any problems crossing network
namespaces.
Now that we handle SCM_CREDENTIALS in a way that gives useable values
across namespaces. There does not appear to be any operational
problems with encouraging the use of unix domain sockets across
containers either.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
---
net/unix/af_unix.c | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 78d412a..4aaff40 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -282,7 +282,7 @@ static inline struct sock *unix_find_socket_byname(struct net *net,
return s;
}
-static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i)
+static struct sock *unix_find_socket_byinode(struct inode *i)
{
struct sock *s;
struct hlist_node *node;
@@ -292,9 +292,6 @@ static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i)
&unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {
struct dentry *dentry = unix_sk(s)->dentry;
- if (!net_eq(sock_net(s), net))
- continue;
-
if (dentry && dentry->d_inode == i) {
sock_hold(s);
goto found;
@@ -757,7 +754,7 @@ static struct sock *unix_find_other(struct net *net,
err = -ECONNREFUSED;
if (!S_ISSOCK(inode->i_mode))
goto put_fail;
- u = unix_find_socket_byinode(net, inode);
+ u = unix_find_socket_byinode(inode);
if (!u)
goto put_fail;
--
1.6.5.2.143.g8cc62
next prev parent reply other threads:[~2010-06-13 13:35 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-13 13:25 [PATCH 0/8] Support unix domain sockets across namespaces Eric W. Biederman
2010-06-13 13:25 ` Eric W. Biederman
2010-06-13 13:27 ` [PATCH 1/8] scm: Reorder scm_cookie Eric W. Biederman
2010-06-13 13:27 ` Eric W. Biederman
2010-06-13 13:28 ` [PATCH 2/8] user_ns: Introduce user_nsmap_uid and user_ns_map_gid Eric W. Biederman
2010-06-13 13:28 ` Eric W. Biederman
[not found] ` <m17hm3hxjw.fsf_-_-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-06-15 8:02 ` Pavel Emelyanov
2010-06-15 22:37 ` Eric W. Biederman
2010-06-15 20:58 ` Serge E. Hallyn
2010-06-15 8:00 ` [PATCH 1/8] scm: Reorder scm_cookie Pavel Emelyanov
2010-06-13 13:28 ` [PATCH 3/8] sock: Introduce cred_to_ucred Eric W. Biederman
2010-06-13 13:28 ` Eric W. Biederman
2010-06-15 8:03 ` Pavel Emelyanov
2010-06-13 13:30 ` [PATCH 4/8] af_unix: Allow SO_PEERCRED to work across namespaces Eric W. Biederman
2010-06-13 13:30 ` Eric W. Biederman
2010-06-14 13:37 ` Daniel Lezcano
2010-06-15 8:04 ` Pavel Emelyanov
2010-06-13 13:31 ` [PATCH 5/8] af_netlink: Add needed scm_destroy after scm_send Eric W. Biederman
2010-06-13 13:31 ` Eric W. Biederman
2010-06-14 13:37 ` Daniel Lezcano
2010-06-15 8:06 ` Pavel Emelyanov
2010-06-13 13:32 ` [PATCH 6/8] scm: Capture the full credentials of the scm sender Eric W. Biederman
2010-06-13 13:32 ` Eric W. Biederman
2010-06-15 8:08 ` Pavel Emelyanov
2010-06-15 9:53 ` Eric W. Biederman
2010-06-15 21:45 ` Serge E. Hallyn
2010-06-15 22:08 ` Eric W. Biederman
2010-06-16 4:47 ` Serge E. Hallyn
2010-06-13 13:34 ` [PATCH 7/8] af_unix: Allow credentials to work across user and pid namespaces Eric W. Biederman
2010-06-13 13:34 ` Eric W. Biederman
[not found] ` <m17hm3giom.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-06-15 8:11 ` Pavel Emelyanov
2010-06-13 13:35 ` Eric W. Biederman [this message]
2010-06-13 13:35 ` [PATCH 8/8] af_unix: Allow connecting to sockets in other network namespaces Eric W. Biederman
2010-06-14 13:37 ` Daniel Lezcano
[not found] ` <m11vcbgimj.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-06-15 8:12 ` Pavel Emelyanov
2010-06-16 22:15 ` [PATCH 0/8] Support unix domain sockets across namespaces David Miller
2010-06-16 23:17 ` David Miller
2010-06-16 23:32 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m11vcbgimj.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=containers@lists.osdl.org \
--cc=daniel.lezcano@free.fr \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=serue@us.ibm.com \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.