Re: What is the fastest way to build and boot a kernel
On Thu, Apr 20, 2017 at 10:50 AM, Bjørn Mork wrote: > Joe Smith writes: >> On Thu, Apr 20, 2017 at 9:31 AM, Alexander Kapshuk >> wrote: >> >>> then you just add a line saying:: >>> >>> Signed-off-by: Random J Developer >>> >>> using your real name (sorry, no pseudonyms or anonymous contributions.) >> >> How does anyone know what my real name is. > > No one does. It's up to you to make sure your name is real :) > > An example of what might otherwise happen: > https://lwn.net/Articles/194729/ > > > > Bjørn Excellent example but please note this " For this reason, people contributing code which demonstrates *deep knowledge of undocumented hardware* will often be asked just how they came by that knowledge. Verifying the answer can be difficult, however. Our defenses are thin, but it is hard to see how they could be improved without killing the process entirely." In cases where IP rights are an issue I can understand requiring someone to reveal their true identity. Other than that I don't see any reason not to accept an enhancement or bug fix to Linux Kernel coming from an anonymous source. If there is an IP issue, the submitter could reveal their identity to a select group of people or not as the submitter did in this case. If we need to really enforce this requirement then one would have to sign a legal document -- Some software contributions do require that. -- JS ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to make per process firewall ?
On Thu, Apr 20, 2017 at 10:31:33AM -0700, Joe Smith wrote: > On Wed, Apr 19, 2017 at 9:58 AM, Stephen Brennan wrote: [snip] > I understand the iptables solution. The namespace solution seems > restrictive, It depends on how you set it up. If you put your only network interface within this namespace, then yes, it is a bit restrictive. But if you were to set up a veth pair, put one end into the namespace and the other in your default namespace, and then configure NAT so traffic from the veth gets routed out properly, then everything would still share one IP address. Yes, this is just as much work as it sounds like, so I can understand why it doesn't sound like a good idea! > it will exclusively allow the IP address to be used in > the namespace that it is hosted in and there is no control over the > port. You can control the port using iptables within the namespace. At that point, it's a simple firewall rule that says "drop any traffic that isn't on this port". Since no other processes are in the namespace, it only affects the processes you want to restrict. > So if it is OK to dedicate an IP address to a namepsace than > fine but it still does not solve the port issue and iptables will have > to be used. So why not just use ipatbles ? The iptables -m owner solution is much simpler, so yeah, probably just use that. I came up with the network namespace solution because I've recently been doing *a lot* of work using them. When all you have is a hammer, everything looks like a nail! ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: What is the fastest way to build and boot a kernel
Joe Smith writes: > On Thu, Apr 20, 2017 at 9:31 AM, Alexander Kapshuk > wrote: > >> then you just add a line saying:: >> >> Signed-off-by: Random J Developer >> >> using your real name (sorry, no pseudonyms or anonymous contributions.) > > How does anyone know what my real name is. No one does. It's up to you to make sure your name is real :) An example of what might otherwise happen: https://lwn.net/Articles/194729/ Bjørn ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to make per process firewall ?
On Wed, Apr 19, 2017 at 9:58 AM, Stephen Brennan wrote: >> I would like to constrain process (by name) or group of process to specific >> network interface and to specific port. > > This sounds like an excellent use-case for network namespaces [1]. They create > an entire virtualized network stack within the kernel. This includes > everything > from network devices all the way up to firewall rules. You may create and > administer namespaces using ip-netns(8). Alternatively, you can simply create > a new one when you clone(2), by providing CLONE_NEWNET argument. > > You can run commands that affect namespaces created by ip-netns(8) using > `ip netns exec`. If you didn't create a namespace with ip-netns, you can still > run commands within any process's namespace via the nsenter(1) command, > provided > by util-linux. If you don't have that command (due to outdated util-linux), > you > can implement your own in less than 20 lines of C using the setns(2) system > call. The manual page even provides a full implementation. > > In summary, the easiest way, with ip-netns(8), would be: > > ip netns add blue > > ip netns exec blue iptables -nvL > # an empty firewall > > ip netns exec blue ip link > # just a loopback > > # You'll likely want to create a veth pair, add one end to the "blue" > netns, > # and then set up routes. You'll have a separate IP address within the > # netns, but I don't believe there's any way around that. > > ip netns exec blue iptables -A # your rule here > > ip netns exec blue YOUR-PROGRAMS > > Note that this is how Linux containers (e.g. Docker, LXC) work anyway, > however, > they virtualize other components of the kernel too (filesystem, process IDs, > and > much more). If all you want is to virtualize network resources, network > namespaces are a more direct way to do this than containers, which will > virtualize the rest as well. > > ALTERNATIVE [2]: > > You can apparently create iptables rules which match based on PID (not a great > idea) or by UID/GID (a much better idea). If the overhead of network > namespaces > (veth pairs, new IPs, creating routes) is too much, you could create a user > and > run your processes as this user. Then create iptables rules that match based > on > the user. You do this with the "owner" module, and you can check whether it > exists on your system by running: > > iptables -m owner > > [1]: https://lwn.net/Articles/580893/ > [1]: also `man 7 namespaces` > [2]: > http://stackoverflow.com/questions/4314163/create-iptables-rule-per-process-service > > > ___ > Kernelnewbies mailing list > Kernelnewbies@kernelnewbies.org > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies I understand the iptables solution. The namespace solution seems restrictive, it will exclusively allow the IP address to be used in the namespace that it is hosted in and there is no control over the port. So if it is OK to dedicate an IP address to a namepsace than fine but it still does not solve the port issue and iptables will have to be used. So why not just use ipatbles ? -- JS ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: What is the fastest way to build and boot a kernel
On Thu, Apr 20, 2017 at 9:31 AM, Alexander Kapshuk wrote: > On Thu, Apr 20, 2017 at 7:20 PM, Code Soldier1 wrote: >> On Thu, Apr 20, 2017 at 1:21 AM, Sébastien Masson >> wrote: >>> >>> On 2017-04-19 20:26, Code Soldier1 wrote: On Wed, Apr 19, 2017 at 3:32 AM, Tobin C. Harding wrote: > > On Tue, Apr 18, 2017 at 08:59:36AM -0700, Code Soldier1 wrote: > [snip] > > Why the moniker? Why not ? unlike most people today I value my privacy. >>> >>> >>> Hi! >>> >>> In my opinion, the point is not really about privacy. Although, I >>> understand you concern. >>> >>> As a kernel developer, the source code you will write will be subject to >>> copyright matters and, if you want to contribute, you will have to give your >>> agreement to this. >>> This is only possible using your real name. >>> >>> I am inviting you to read: Documentation/process/submitting-patches.rst in >>> this regard. >>> >>> Of course, as long as you do not submit source code, it does not really >>> matter. It may be more a question of "consistency". >>> >>> BR, >>> Sebastien. >> >> I completely agree with you. If I decide to submit code and there is a >> requirement, I will have to make a choice. BTW how would anyone verify >> if I am really Joe Smith and I have not just created an email account >> ? >> >> I just looked at the kernel that I am working with and it does not >> have the file you pointed out to me. I read the first file and it does >> not say anything about username neither did anyone objected when I >> posted on netdev. >> >> ubuntu-server:~/linux/linux-stable-v4.9.9/Documentation$ find . -name >> \*patches\* -print >> ./hwmon/submitting-patches >> ./applying-patches.txt >> ./devicetree/bindings/submitting-patches.txt >> >> >> >> >> -- >> CS1 >> >> ___ >> Kernelnewbies mailing list >> Kernelnewbies@kernelnewbies.org >> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/plain/Documentation/SubmittingPatches?id=refs/tags/v4.9.23 > > 11) Sign your work > -- > > To improve tracking of who did what, especially with patches that can > percolate to their final resting place in the kernel through several > layers of maintainers, we've introduced a "sign-off" procedure on > patches that are being emailed around. > > The sign-off is a simple line at the end of the explanation for the > patch, which certifies that you wrote it or otherwise have the right to > pass it on as an open-source patch. The rules are pretty simple: if you > can certify the below: > > Developer's Certificate of Origin 1.1 > ^ > > By making a contribution to this project, I certify that: > > (a) The contribution was created in whole or in part by me and I > have the right to submit it under the open source license > indicated in the file; or > > (b) The contribution is based upon previous work that, to the best > of my knowledge, is covered under an appropriate open source > license and I have the right under that license to submit that > work with modifications, whether created in whole or in part > by me, under the same open source license (unless I am > permitted to submit under a different license), as indicated > in the file; or > > (c) The contribution was provided directly to me by some other > person who certified (a), (b) or (c) and I have not modified > it. > > (d) I understand and agree that this project and the contribution > are public and that a record of the contribution (including all > personal information I submit with it, including my sign-off) is > maintained indefinitely and may be redistributed consistent with > this project or the open source license(s) involved. > > then you just add a line saying:: > > Signed-off-by: Random J Developer > > using your real name (sorry, no pseudonyms or anonymous contributions.) How does anyone know what my real name is. I can just have an account that says I am Random J Developer and my email is x...@gmail.com. Just like the example. I can even change the name that appears on the email, I have just changed mine to Joe Smith. Anyways let's not spend time on this and concentrate on the technical stuff. If I submit code I will find out. -- CS1 ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: What is the fastest way to build and boot a kernel
On Thu, Apr 20, 2017 at 7:20 PM, Code Soldier1 wrote: > On Thu, Apr 20, 2017 at 1:21 AM, Sébastien Masson > wrote: >> >> On 2017-04-19 20:26, Code Soldier1 wrote: >>> >>> On Wed, Apr 19, 2017 at 3:32 AM, Tobin C. Harding wrote: On Tue, Apr 18, 2017 at 08:59:36AM -0700, Code Soldier1 wrote: [snip] Why the moniker? >>> >>> >>> Why not ? unlike most people today I value my privacy. >> >> >> Hi! >> >> In my opinion, the point is not really about privacy. Although, I >> understand you concern. >> >> As a kernel developer, the source code you will write will be subject to >> copyright matters and, if you want to contribute, you will have to give your >> agreement to this. >> This is only possible using your real name. >> >> I am inviting you to read: Documentation/process/submitting-patches.rst in >> this regard. >> >> Of course, as long as you do not submit source code, it does not really >> matter. It may be more a question of "consistency". >> >> BR, >> Sebastien. > > I completely agree with you. If I decide to submit code and there is a > requirement, I will have to make a choice. BTW how would anyone verify > if I am really Joe Smith and I have not just created an email account > ? > > I just looked at the kernel that I am working with and it does not > have the file you pointed out to me. I read the first file and it does > not say anything about username neither did anyone objected when I > posted on netdev. > > ubuntu-server:~/linux/linux-stable-v4.9.9/Documentation$ find . -name > \*patches\* -print > ./hwmon/submitting-patches > ./applying-patches.txt > ./devicetree/bindings/submitting-patches.txt > > > > > -- > CS1 > > ___ > Kernelnewbies mailing list > Kernelnewbies@kernelnewbies.org > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/plain/Documentation/SubmittingPatches?id=refs/tags/v4.9.23 11) Sign your work -- To improve tracking of who did what, especially with patches that can percolate to their final resting place in the kernel through several layers of maintainers, we've introduced a "sign-off" procedure on patches that are being emailed around. The sign-off is a simple line at the end of the explanation for the patch, which certifies that you wrote it or otherwise have the right to pass it on as an open-source patch. The rules are pretty simple: if you can certify the below: Developer's Certificate of Origin 1.1 ^ By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. (d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. then you just add a line saying:: Signed-off-by: Random J Developer using your real name (sorry, no pseudonyms or anonymous contributions.) ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: What is the fastest way to build and boot a kernel
On Thu, Apr 20, 2017 at 1:21 AM, Sébastien Masson wrote: > > On 2017-04-19 20:26, Code Soldier1 wrote: >> >> On Wed, Apr 19, 2017 at 3:32 AM, Tobin C. Harding wrote: >>> >>> On Tue, Apr 18, 2017 at 08:59:36AM -0700, Code Soldier1 wrote: >>> [snip] >>> >>> Why the moniker? >> >> >> Why not ? unlike most people today I value my privacy. > > > Hi! > > In my opinion, the point is not really about privacy. Although, I > understand you concern. > > As a kernel developer, the source code you will write will be subject to > copyright matters and, if you want to contribute, you will have to give your > agreement to this. > This is only possible using your real name. > > I am inviting you to read: Documentation/process/submitting-patches.rst in > this regard. > > Of course, as long as you do not submit source code, it does not really > matter. It may be more a question of "consistency". > > BR, > Sebastien. I completely agree with you. If I decide to submit code and there is a requirement, I will have to make a choice. BTW how would anyone verify if I am really Joe Smith and I have not just created an email account ? I just looked at the kernel that I am working with and it does not have the file you pointed out to me. I read the first file and it does not say anything about username neither did anyone objected when I posted on netdev. ubuntu-server:~/linux/linux-stable-v4.9.9/Documentation$ find . -name \*patches\* -print ./hwmon/submitting-patches ./applying-patches.txt ./devicetree/bindings/submitting-patches.txt -- CS1 ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: What is the fastest way to build and boot a kernel
On 2017-04-19 20:26, Code Soldier1 wrote: > On Wed, Apr 19, 2017 at 3:32 AM, Tobin C. Harding wrote: >> On Tue, Apr 18, 2017 at 08:59:36AM -0700, Code Soldier1 wrote: >> [snip] >> >> Why the moniker? > > Why not ? unlike most people today I value my privacy. Hi! In my opinion, the point is not really about privacy. Although, I understand you concern. As a kernel developer, the source code you will write will be subject to copyright matters and, if you want to contribute, you will have to give your agreement to this. This is only possible using your real name. I am inviting you to read: Documentation/process/submitting-patches.rst in this regard. Of course, as long as you do not submit source code, it does not really matter. It may be more a question of "consistency". BR, Sebastien. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies