Re: [PATCH 0/5] RFC: connector: Add network namespace awareness

From: Matt Bennett
Date: Sun Jul 05 2020 - 18:31:38 EST


On Thu, 2020-07-02 at 13:59 -0500, Eric W. Biederman wrote:
> Matt Bennett <matt.bennett@xxxxxxxxxxxxxxxxxxx> writes:
>
> > Previously the connector functionality could only be used by processes running in the
> > default network namespace. This meant that any process that uses the connector functionality
> > could not operate correctly when run inside a container. This is a draft patch series that
> > attempts to now allow this functionality outside of the default network namespace.
> >
> > I see this has been discussed previously [1], but am not sure how my changes relate to all
> > of the topics discussed there and/or if there are any unintended side
> > effects from my draft
>
> In a quick skim this patchset does not look like it approaches a correct
> conversion to having code that works in multiple namespaces.
>
> I will take the changes to proc_id_connector for example.
> You report the values in the callers current namespaces.
>
> Which means an unprivileged user can create a user namespace and get
> connector to report whichever ids they want to users in another
> namespace. AKA lie.
>
> So this appears to make connector completely unreliable.
>
> Eric
>

Hi Eric,

Thank you for taking the time to review. I wrote these patches in an attempt to show that I was willing to do the work myself rather than simply
asking for someone else to do it for me. The changes worked for my use cases when I tested them, but I expected that some of the changes would be
incorrect and that I would need some guidance. I can spend some time to really dig in and fully understand the changes I am trying to make (I have
limited kernel development experience) but based on the rest of the discussion threads it seems that there is likely no appetite to ever support
namespaces with the connector.

Best regards,
Matt