Re: [PATCH bpf 2/4] nsfs: add an ioctl to discover the network namespace cookie
From: Christian Brauner <hidden>
Date: 2021-03-02 12:06:27
Also in:
linux-api, linux-fsdevel, lkml, netdev
From: Christian Brauner <hidden>
Date: 2021-03-02 12:06:27
Also in:
linux-api, linux-fsdevel, lkml, netdev
On Tue, Mar 02, 2021 at 09:47:10AM +0000, Lorenz Bauer wrote:
On Mon, 1 Mar 2021 at 10:04, Christian Brauner [off-list ref] wrote:quoted
Hey Lorenz, Just to make sure: is it intentional that any user can retrieve the cookie associated with any network namespace, i.e. you don't require any form of permission checking in the owning user namespace of the network namespace? ChristianHi Christian, I've decided to drop the patch set for now, but that was my intention, yes. Is there a downside I'm not aware of?
It depends on whether this cookie is in any way security or at least information sensitive. For example, would leaking it between unprivileged containers with different user+network namespace pairs allow one container to gain access to information about the other container that it shouldn't. Christian