On 24/08/2015 17:32, Wan, Kaike wrote: >> On Fri, Aug 14, 2015 at 08:52:05AM -0400, kaike....@intel.com wrote: >> > >>> > > Some tests with namespace have been performed: >>> > > 1. An unprivileged user cannot bind to the RDMA_NL_GROUP_LS multicast >>> > > group; >>> > > 2. An unprivileged user cannot create a new network namespace. However, >>> > > it can create a new user namespace together with a new network >>> > > namespace by using clone() with CLONE_NEWUSER | CLONE_NEWNET >> > flags; >>> > > 3. In the user and network namespaces created by an unprivileged user, >>> > > the user can be mapped into root and thus be able to bind to the >>> > > RDMA_NL_GROUP_LS multicast group. However, it can neither send >>> > > requests to the kernel RDMA netlink code nor receive requests from >>> > > it. This is because kernel RDMA netlink code associates itself with >>> > > the init_net network namespace, which in turn associates itself with >>> > > init_user_ns namespace. >> > >> > Haggie, how does this coverage match your expectations with your >> > namespace series? >> > >> > Kaike, how does #3 work? > I created a test app that used clone() with CLONE_NEWUSER | CLONE_NEWNET to > create child process (modeled after the user_namespace man page example: > http://man7.org/linux/man-pages/man7/user_namespaces.7.html). Once the child > process was mapped to root (uid 0), it created the netlink socket and bound > to the RDMA_NL_GROUP_LS and waited to receive requests from the kernel. > > If I create a user namespace and try to bind it >> > succeeds to userspace but ibnl_chk_listeners still returns false in the >> > kernel? > ibnl_chk_listeners() actually returned 0 (success), indicating that there > were listeners. However, ibnl_multicast() failed. From the code of > netlink_has_listeners(), it is apparently that the check has nothing to do > with namespace (that's why it succeeded).
It looks like the ibnl socket (nls) is created with the &init_net network namespace, and netlink won't send multicasts to sockets on other namespaces (see [1]). Haggai [1] http://lxr.free-electrons.com/source/net/netlink/af_netlink.c?v=4.1#L1935 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
