From: Bobby Eshleman <bobbyeshleman@gmail.com>
To: stable@vger.kernel.org
Cc: gregkh@linuxfoundation.org, sgarzare@redhat.com,
netdev@vger.kernel.org, mkutsevol@meta.com, thevlad@meta.com,
christinewang@meta.com
Subject: Stable backport request: vsock namespace support for 6.18.y
Date: Wed, 4 Mar 2026 17:02:48 -0800 [thread overview]
Message-ID: <aajWMBoSgXafmw8b@devvm11784.nha0.facebook.com> (raw)
Hey all,
Would the stable maintainers possibly consider backporting the following
commits to 6.18.y? They add network namespace support to AF_VSOCK, which
addresses a security concern from our users in production.
eafb64f40ca49c79f0769aab25d0fae5c9d3becb vsock: add netns to vsock core
a6ae12a599e0f16bc01a38bcfe8d0278a26b5ee0 virtio: set skb owner of virtio_transport_reset_no_sock() reply
a69686327e42912e87d1f4be23f54ce1eae4dbd2 vsock: add netns support to virtio transports
9dd391493a727464e9a03cfff9356c8e10b8da0b vsock: fix child netns mode initialization
6a997f38bdf822d4c5cc10b445ff1cb26872580a vsock: prevent child netns mode switch from local to global
a07c33c6f2fc693bf9c67514fcc15d9d417f390d vsock: document namespace mode sysctls
All commits are in v7.0-rc1 via net-next.
The intention of vsock is to be used more-or-less as a VM-to-host serial
with free port-based multiplexing. It may be used very early in system
startup, so it is often used as the communication medium between VM
agents and host controllers. The security concern is that any workload
on the host can bind to a vsock port and intercept connections intended
for a different VM's controller / control plane. For sensitive VMs, this
presents a risk. The above patch series mitigates that risk by teaching
VSOCK to respect namespaces, and so allowing the system to restrict
applications that may access the VM's vsock (by use of namespace
isolation).
The feature is opt-in via a per-netns sysctl (vsock.child_ns_mode),
defaulting to "global" which preserves existing behavior exactly.
I realize this may be a long-shot/big ask, as these patches definitely
fall outside of the 100-line diff limit and it is a very new security
feature for vsock.
Thanks,
Bobby
next reply other threads:[~2026-03-05 1:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 1:02 Bobby Eshleman [this message]
2026-03-05 7:15 ` Stable backport request: vsock namespace support for 6.18.y Greg KH
2026-03-05 13:32 ` Bobby Eshleman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aajWMBoSgXafmw8b@devvm11784.nha0.facebook.com \
--to=bobbyeshleman@gmail.com \
--cc=christinewang@meta.com \
--cc=gregkh@linuxfoundation.org \
--cc=mkutsevol@meta.com \
--cc=netdev@vger.kernel.org \
--cc=sgarzare@redhat.com \
--cc=stable@vger.kernel.org \
--cc=thevlad@meta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox