From: Evgeniy Polyakov <zbr@ioremap.net>
To: "ebiederm@xmission.com" <ebiederm@xmission.com>,
Matt Bennett <matt.bennett@alliedtelesis.co.nz>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"containers@lists.linux-foundation.org"
<containers@lists.linux-foundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 0/5] RFC: connector: Add network namespace awareness
Date: Thu, 10 Sep 2020 18:04:56 +0300 [thread overview]
Message-ID: <74141599750086@mail.yandex.ru> (raw)
In-Reply-To: <87lfjn9s3v.fsf@x220.int.ebiederm.org>
Hi everyone
Â
13.07.2020, 21:42, "Eric W. Biederman" <ebiederm@xmission.com>:
Â
 Which means an unprivileged user can create a user namespace and
get
 connector to report whichever ids they want to users in another
 namespace. AKA lie.
Â
 So this appears to make connector completely unreliable.
Â
Â
My sense is that there are few enough uses of connector that if
don't
mind changing your code so that it works in a container (and the
pidfd
support appears to already provide what you need) that is probably
the
past of least resistance.
I don't think it maintaining connector support would be much more
work
than it is now, if someone went through and did the work to
carefully
convert the code. So if someone really wants to use connector we can
namespace the code.
Otherwise it is probably makes sense to let the few users gradually
stop
using connector so the code can eventually be removed.
Â
Such a nice bright future for connector you depict here disregarding
others work
and this contribution Eric :)
Â
If we can overcome showed above issue with invalid ids, connector still
can get a few more years to live,
don't you want to give it a chance?
Â
Please checkout out the pidfd support and tell us how it meets your
needs. If there is something that connector really does better it
would
be good to know.
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
parent reply other threads:[~2020-09-10 15:06 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <87lfjn9s3v.fsf@x220.int.ebiederm.org>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74141599750086@mail.yandex.ru \
--to=zbr@ioremap.net \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=matt.bennett@alliedtelesis.co.nz \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).