From: Jakub Kicinski <kuba@kernel.org>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: netdev@vger.kernel.org, stephen@networkplumber.org,
Cong Wang <cwang@multikernel.io>
Subject: Re: [Patch net v5 4/9] net_sched: Prevent using netem duplication in non-initial user namespace
Date: Mon, 1 Dec 2025 16:25:24 -0800 [thread overview]
Message-ID: <20251201162524.18c919fd@kernel.org> (raw)
In-Reply-To: <20251126195244.88124-5-xiyou.wangcong@gmail.com>
On Wed, 26 Nov 2025 11:52:39 -0800 Cong Wang wrote:
> The netem qdisc has a known security issue with packet duplication
> that makes it unsafe to use in unprivileged contexts. While netem
> typically requires CAP_NET_ADMIN to load, users with "root" privileges
> inside a user namespace also have CAP_NET_ADMIN within that namespace,
> allowing them to potentially exploit this feature.
>
> To address this, we need to restrict the netem duplication to only the
> initial user namespace.
What gives us the confidence that this won't break existing setups?
Pretty sure we use user ns at Meta, tho not sure if any of our
workloads uses both those and netem dup.
next prev parent reply other threads:[~2025-12-02 0:25 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-26 19:52 [Patch net v5 0/9] netem: Fix skb duplication logic and prevent infinite loops Cong Wang
2025-11-26 19:52 ` [Patch net v5 1/9] Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Cong Wang
2025-11-26 19:52 ` [Patch net v5 2/9] Revert "selftests/tc-testing: Add tests for restrictions on netem duplication" Cong Wang
2025-11-26 19:52 ` [Patch net v5 3/9] net_sched: Implement the right netem duplication behavior Cong Wang
2025-11-26 20:30 ` William Liu
2025-11-26 22:08 ` Cong Wang
2025-11-26 22:43 ` William Liu
2025-11-26 23:13 ` Cong Wang
2025-11-27 2:09 ` William Liu
2025-11-27 3:01 ` Cong Wang
2025-12-03 15:05 ` Stephen Hemminger
2025-11-26 19:52 ` [Patch net v5 4/9] net_sched: Prevent using netem duplication in non-initial user namespace Cong Wang
2025-12-02 0:25 ` Jakub Kicinski [this message]
2025-12-03 5:41 ` Cong Wang
2025-12-02 0:40 ` Stephen Hemminger
2025-12-02 9:16 ` Paolo Abeni
2025-11-26 19:52 ` [Patch net v5 5/9] net_sched: Check the return value of qfq_choose_next_agg() Cong Wang
2025-12-02 9:20 ` Paolo Abeni
2025-12-03 5:42 ` Cong Wang
2025-12-02 21:18 ` Xiang Mei
2025-11-26 19:52 ` [Patch net v5 6/9] selftests/tc-testing: Add a nested netem duplicate test Cong Wang
2025-11-26 19:52 ` [Patch net v5 7/9] selftests/tc-testing: Add a test case for piro with netem duplicate Cong Wang
2025-11-26 19:52 ` [Patch net v5 8/9] selftests/tc-testing: Add a test case for mq " Cong Wang
2025-11-26 19:52 ` [Patch net v5 9/9] selftests/tc-testing: Update test cases " Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251201162524.18c919fd@kernel.org \
--to=kuba@kernel.org \
--cc=cwang@multikernel.io \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).