Thread (9 messages) 9 messages, 3 authors, 2021-03-02

Re: [PATCH bpf 2/4] nsfs: add an ioctl to discover the network namespace cookie

From: Christian Brauner <hidden>
Date: 2021-03-02 12:06:27
Also in: linux-api, linux-fsdevel, lkml, netdev

On Tue, Mar 02, 2021 at 09:47:10AM +0000, Lorenz Bauer wrote:
On Mon, 1 Mar 2021 at 10:04, Christian Brauner
[off-list ref] wrote:
quoted
Hey Lorenz,

Just to make sure: is it intentional that any user can retrieve the
cookie associated with any network namespace, i.e. you don't require any
form of permission checking in the owning user namespace of the network
namespace?

Christian
Hi Christian,

I've decided to drop the patch set for now, but that was my intention, yes. Is
there a downside I'm not aware of?
It depends on whether this cookie is in any way security or at least
information sensitive. For example, would leaking it between
unprivileged containers with different user+network namespace pairs
allow one container to gain access to information about the other
container that it shouldn't.

Christian
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help