From: ebiederm@xmission.com (Eric W. Biederman)
To: David Lamparter <equinox@diac24.net>
Cc: Alexey Dobriyan <adobriyan@gmail.com>,
davem@davemloft.net, netdev@vger.kernel.org,
Linux Containers <containers@lists.osdl.org>
Subject: Re: [PATCH] netns: add /proc/*/net/id symlink
Date: Sun, 22 May 2011 19:02:43 -0700 [thread overview]
Message-ID: <m1y61yb2d8.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20110523014303.GA2351982@jupiter.n2.diac24.net> (David Lamparter's message of "Mon, 23 May 2011 03:43:03 +0200")
David Lamparter <equinox@diac24.net> writes:
>> ... Eric W. Biederman wrote:
>> Now it probably needs to be better documented that /proc/*/net/*
>> have the same inode number if the network namespace is the
>> same, as everyone including myself overlooked this very handy
>> existing property.
>
> Eh, so did I. But, yes, very nice.
>
> On Sat, May 21, 2011 at 05:15:38PM -0700, Eric W. Biederman wrote:
>> Additionally that solution will work for comparing network namespaces
>> that don't happen to have any processes in them at the moment. Because
>> fstat works on file descriptors.
>
> Hm. I have a peeve here. Assume I am a... rogue admin, whatever. I have
> root on a router. I create a new network namespace, put a macvlan of
> eth0 in it and a macvlan of eth1. I enable ip_forward.
>
> Then I make a mount namespace, bind-mount the net namespace, bind mount
> the mount namespace and terminate all processes that reference it (yes
> this does work, i just checked [!]).
You must be using an older version of my patchset than what I have
queued for Linus. Bind mounting the mount namepsace and creating
reference counting loops is a weird and ugly case. So for the moment I
am not supporting the mount namespace, until I can think through
the consequences.
> Now I can use it to bypass all firewall rules, IDS, whatever.
>
> How is any normal admin, monitoring script or whatever else able to
> detect this?
Which is why we I proceed slowly and cautiously with adding new kernel
interfaces. It is hard to think of everything until you can actually
put it into use, and play with it.
Other than not allowing bind mounting the mount namespace I don't
have any all encompassing really good answers at the moment.
I do have a few small answers. For network namespaces you can look in
/proc/slabinfo and see how many you have, unless slub is lying to you.
On the switch your server is connected to you can look at the mac table
and see which mac addresses are currently in use, and notice if there
are unaccounted for mac addresses.
Eric
prev parent reply other threads:[~2011-05-23 2:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-21 9:39 [PATCH] netns: add /proc/*/net/id symlink Alexey Dobriyan
2011-05-21 15:39 ` Eric W. Biederman
2011-05-21 22:30 ` Alexey Dobriyan
2011-05-22 0:15 ` Eric W. Biederman
2011-05-23 1:43 ` David Lamparter
2011-05-23 1:47 ` David Lamparter
2011-06-17 23:31 ` [PATCH 1/2] proc: Generalize proc inode allocation Eric W. Biederman
2011-06-17 23:31 ` Eric W. Biederman
2011-06-17 23:33 ` [PATCH 2/2] proc: Usable inode numbers for the namespace file descriptors Eric W. Biederman
2011-06-17 23:33 ` Eric W. Biederman
2011-06-19 23:22 ` David Miller
2011-06-20 16:06 ` Serge E. Hallyn
2011-06-20 19:50 ` Eric W. Biederman
2011-06-19 14:20 ` [PATCH 1/2] proc: Generalize proc inode allocation Serge E. Hallyn
2011-05-23 2:02 ` Eric W. Biederman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1y61yb2d8.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=adobriyan@gmail.com \
--cc=containers@lists.osdl.org \
--cc=davem@davemloft.net \
--cc=equinox@diac24.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.