> -----Original Message----- > From: linux-rdma-ow...@vger.kernel.org [mailto:linux-rdma- > ow...@vger.kernel.org] On Behalf Of Jason Gunthorpe > Sent: Friday, August 21, 2015 7:08 PM > To: Wan, Kaike; Haggai Eran > Cc: linux-rdma@vger.kernel.org > Subject: Re: [PATCH v9 0/4] Sending kernel pathrecord query to user cache > server > > On Fri, Aug 14, 2015 at 08:52:05AM -0400, kaike....@intel.com wrote: > > > Some tests with namespace have been performed: > > 1. An unprivileged user cannot bind to the RDMA_NL_GROUP_LS multicast > > group; > > 2. An unprivileged user cannot create a new network namespace. However, > > it can create a new user namespace together with a new network > > namespace by using clone() with CLONE_NEWUSER | CLONE_NEWNET > flags; > > 3. In the user and network namespaces created by an unprivileged user, > > the user can be mapped into root and thus be able to bind to the > > RDMA_NL_GROUP_LS multicast group. However, it can neither send > > requests to the kernel RDMA netlink code nor receive requests from > > it. This is because kernel RDMA netlink code associates itself with > > the init_net network namespace, which in turn associates itself with > > init_user_ns namespace. > > Haggie, how does this coverage match your expectations with your > namespace series? > > Kaike, how does #3 work?
I created a test app that used clone() with CLONE_NEWUSER | CLONE_NEWNET to create child process (modeled after the user_namespace man page example: http://man7.org/linux/man-pages/man7/user_namespaces.7.html). Once the child process was mapped to root (uid 0), it created the netlink socket and bound to the RDMA_NL_GROUP_LS and waited to receive requests from the kernel. If I create a user namespace and try to bind it > succeeds to userspace but ibnl_chk_listeners still returns false in the > kernel? ibnl_chk_listeners() actually returned 0 (success), indicating that there were listeners. However, ibnl_multicast() failed. From the code of netlink_has_listeners(), it is apparently that the check has nothing to do with namespace (that's why it succeeded). > > Jason > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the > body of a message to majord...@vger.kernel.org More majordomo info at > http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
