Stable backport request: vsock namespace support for 6.18.y

Stable backport request: vsock namespace support for 6.18.y

[Bobby Eshleman]

Hey all,

Would the stable maintainers possibly consider backporting the following
commits to 6.18.y? They add network namespace support to AF_VSOCK, which
addresses a security concern from our users in production.

eafb64f40ca49c79f0769aab25d0fae5c9d3becb vsock: add netns to vsock core
a6ae12a599e0f16bc01a38bcfe8d0278a26b5ee0 virtio: set skb owner of virtio_transport_reset_no_sock() reply
a69686327e42912e87d1f4be23f54ce1eae4dbd2 vsock: add netns support to virtio transports
9dd391493a727464e9a03cfff9356c8e10b8da0b vsock: fix child netns mode initialization
6a997f38bdf822d4c5cc10b445ff1cb26872580a vsock: prevent child netns mode switch from local to global
a07c33c6f2fc693bf9c67514fcc15d9d417f390d vsock: document namespace mode sysctls

All commits are in v7.0-rc1 via net-next.

The intention of vsock is to be used more-or-less as a VM-to-host serial
with free port-based multiplexing. It may be used very early in system
startup, so it is often used as the communication medium between VM
agents and host controllers. The security concern is that any workload
on the host can bind to a vsock port and intercept connections intended
for a different VM's controller / control plane. For sensitive VMs, this
presents a risk. The above patch series mitigates that risk by teaching
VSOCK to respect namespaces, and so allowing the system to restrict
applications that may access the VM's vsock (by use of namespace
isolation).

The feature is opt-in via a per-netns sysctl (vsock.child_ns_mode),
defaulting to "global" which preserves existing behavior exactly.

I realize this may be a long-shot/big ask, as these patches definitely
fall outside of the 100-line diff limit and it is a very new security
feature for vsock.

Thanks,
Bobby

Re: Stable backport request: vsock namespace support for 6.18.y

[Greg KH]

On Wed, Mar 04, 2026 at 05:02:48PM -0800, Bobby Eshleman wrote:
> I realize this may be a long-shot/big ask, as these patches definitely
> fall outside of the 100-line diff limit and it is a very new security
> feature for vsock.

It's a new security feature, if you wish to have that, please just use a
newer kernel release.

sorry,

greg k-h

Re: Stable backport request: vsock namespace support for 6.18.y

[Bobby Eshleman]

On Thu, Mar 05, 2026 at 08:15:12AM +0100, Greg KH wrote:
> On Wed, Mar 04, 2026 at 05:02:48PM -0800, Bobby Eshleman wrote:
> > I realize this may be a long-shot/big ask, as these patches definitely
> > fall outside of the 100-line diff limit and it is a very new security
> > feature for vsock.
> 
> It's a new security feature, if you wish to have that, please just use a
> newer kernel release.
> 
> sorry,
> 
> greg k-h

I understand. Thank you for the consideration.

Best,
Bobby