Re: linux-next: Tree for Sep 17 (netdevice.h: net_has_fallback_tunnels when SYSCTL is not set)

2020-09-17 Thread महेश बंडेवार
On Thu, Sep 17, 2020 at 1:33 PM Randy Dunlap wrote: > > On 9/17/20 3:23 AM, Stephen Rothwell wrote: > > Hi all, > > > > Changes since 20200916: > > > > I am seeing build errors when CONFIG_SYSCTL is not set: > > ld: net/ipv4/ip_tunnel.o: in function `ip_tunnel_init_net': > ip_tunnel.c:(.text+0x2ea

Re: [PATCH] ipvlan: set hw_enc_features like macvlan

2019-08-15 Thread महेश बंडेवार
On Wed, Aug 14, 2019 at 5:10 PM Bill Sommerfeld wrote: > > Allow encapsulated packets sent to tunnels layered over ipvlan to use > offloads rather than forcing SW fallbacks. > > Since commit f21e5077010acda73a60 ("macvlan: add offload features for > encapsulation"), macvlan has set dev->hw_enc_fea

Re: [blackhole_dev] 509e56b37c: kernel_selftests.net.test_blackhole_dev.sh.fail

2019-07-14 Thread महेश बंडेवार
On Thu, Jul 11, 2019 at 11:48 PM kernel test robot wrote: > > FYI, we noticed the following commit (built with gcc-7): > > commit: 509e56b37cc32c9b5fc2be585c25d1e60d6a1d73 ("blackhole_dev: add a > selftest") > https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next.git > master

Re: suspicious RCU usage (was: Re: [PATCHv3 next 1/3] loopback: create blackhole net device similar to loopack.)

2019-07-02 Thread महेश बंडेवार
On Tue, Jul 2, 2019 at 5:54 AM Geert Uytterhoeven wrote: > > Hi Mahesh, > > On Mon, 1 Jul 2019, Mahesh Bandewar wrote: > > Create a blackhole net device that can be used for "dead" > > dst entries instead of loopback device. This blackhole device differs > > from loopback in few aspects: (

Re: [PATCH net] bonding/802.3ad: fix slave link initialization transition states

2019-05-24 Thread महेश बंडेवार
On Fri, May 24, 2019 at 2:17 PM Jay Vosburgh wrote: > > Jarod Wilson wrote: > > >Once in a while, with just the right timing, 802.3ad slaves will fail to > >properly initialize, winding up in a weird state, with a partner system > >mac address of 00:00:00:00:00:00. This started happening after a

Re: [PATCHv3 0/2] capability controlled user-namespaces

2018-01-09 Thread महेश बंडेवार
On Tue, Jan 9, 2018 at 2:28 PM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): >> On Mon, Jan 8, 2018 at 10:36 AM, Serge E. Hallyn wrote: >> > Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): >> >> On Mon, Ja

Re: [PATCHv3 0/2] capability controlled user-namespaces

2018-01-08 Thread महेश बंडेवार
On Mon, Jan 8, 2018 at 10:36 AM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): >> On Mon, Jan 8, 2018 at 10:11 AM, Serge E. Hallyn wrote: >> > Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): >> >> On Mon, J

Re: [PATCHv3 0/2] capability controlled user-namespaces

2018-01-08 Thread महेश बंडेवार
On Mon, Jan 8, 2018 at 10:11 AM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): >> On Mon, Jan 8, 2018 at 7:47 AM, Serge E. Hallyn wrote: >> > Quoting James Morris (james.l.mor...@oracle.com): >> >> On Mon, 8 Jan 2018, Serge

Re: [PATCHv3 0/2] capability controlled user-namespaces

2018-01-08 Thread महेश बंडेवार
On Mon, Jan 8, 2018 at 7:47 AM, Serge E. Hallyn wrote: > Quoting James Morris (james.l.mor...@oracle.com): >> On Mon, 8 Jan 2018, Serge E. Hallyn wrote: >> >> > > Also, why do we need the concept of a controlled user-ns at all, if the >> > > default whitelist maintains existing behavior? >> > >> >

Re: bonding: Completion of error handling around bond_update_slave_arr()

2018-01-04 Thread महेश बंडेवार
On Thu, Jan 4, 2018 at 12:19 AM, SF Markus Elfring wrote: >> If you see 8 out of 9 call sites in this file ignore the return value. > > How do you think about to fix error detection and corresponding > exception handling then? > If I understand your question correctly - not having memory is not a

Re: [PATCHv4 0/2] capability controlled user-namespaces

2018-01-03 Thread महेश बंडेवार
On Wed, Jan 3, 2018 at 8:44 AM, Eric W. Biederman wrote: > Mahesh Bandewar writes: > >> From: Mahesh Bandewar >> >> TL;DR version >> - >> Creating a sandbox environment with namespaces is challenging >> considering what these sandboxed processes can engage into. e.g. >> CVE-2017-6074

Re: bonding: Delete an error message for a failed memory allocation in bond_update_slave_arr()

2018-01-03 Thread महेश बंडेवार
On Wed, Jan 3, 2018 at 12:45 AM, SF Markus Elfring wrote: >>> Omit an extra message for a memory allocation failure in this function. >>> >>> This issue was detected by using the Coccinelle software. >>> >> What is the issue with this message? > > * Is it redundant? > > * Would a Linux allocation

Re: [PATCH] bonding: Delete an error message for a failed memory allocation in bond_update_slave_arr()

2018-01-02 Thread महेश बंडेवार
On Mon, Jan 1, 2018 at 8:07 AM, SF Markus Elfring wrote: > From: Markus Elfring > Date: Mon, 1 Jan 2018 17:00:04 +0100 > > Omit an extra message for a memory allocation failure in this function. > > This issue was detected by using the Coccinelle software. > What is the issue with this message?

Re: [PATCHv3 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2018-01-02 Thread महेश बंडेवार
On Sat, Dec 30, 2017 at 12:50 AM, Michael Kerrisk (man-pages) wrote: > Hello Mahesh, > > On 12/05/2017 11:31 PM, Mahesh Bandewar wrote: >> From: Mahesh Bandewar >> >> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This >> takes input as capability mask expressed as two comma separ

Re: [PATCHv3 0/2] capability controlled user-namespaces

2018-01-02 Thread महेश बंडेवार
:45 AM, Mahesh Bandewar (महेश बंडेवार) wrote: >> On Wed, Dec 27, 2017 at 12:23 PM, Michael Kerrisk (man-pages) >> wrote: >>> Hello Mahesh, >>> >>> On 27 December 2017 at 18:09, Mahesh Bandewar (महेश बंडेवार) >>> wrote: >>>> Hello James, &

Re: [PATCHv3 0/2] capability controlled user-namespaces

2018-01-02 Thread महेश बंडेवार
On Sat, Dec 30, 2017 at 12:31 AM, James Morris wrote: > On Wed, 27 Dec 2017, Mahesh Bandewar (महेश बंडेवार) wrote: > >> Hello James, >> >> Seems like I missed your name to be added into the review of this >> patch series. Would you be willing be pull this into the

Re: [PATCHv3 0/2] capability controlled user-namespaces

2017-12-27 Thread महेश बंडेवार
On Wed, Dec 27, 2017 at 12:23 PM, Michael Kerrisk (man-pages) wrote: > Hello Mahesh, > > On 27 December 2017 at 18:09, Mahesh Bandewar (महेश बंडेवार) > wrote: >> Hello James, >> >> Seems like I missed your name to be added into the review of this >> patch

Re: [PATCHv3 0/2] capability controlled user-namespaces

2017-12-27 Thread महेश बंडेवार
Hello James, Seems like I missed your name to be added into the review of this patch series. Would you be willing be pull this into the security tree? Serge Hallyn has already ACKed it. Thanks, --mahesh.. On Tue, Dec 5, 2017 at 2:30 PM, Mahesh Bandewar wrote: > From: Mahesh Bandewar > > TL;DR

Re: [PATCHv2 2/2] userns: control capabilities of some user namespaces

2017-12-05 Thread महेश बंडेवार
On Wed, Nov 29, 2017 at 9:57 AM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): >> On Tue, Nov 28, 2017 at 3:04 PM, Serge E. Hallyn wrote: >> > Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): >> > ... >> >&g

Re: [PATCHv2 2/2] userns: control capabilities of some user namespaces

2017-11-28 Thread महेश बंडेवार
On Tue, Nov 28, 2017 at 3:04 PM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): > ... >> >> diff --git a/security/commoncap.c b/security/commoncap.c >> >> index fc46f5b85251..89103f16ac37 100644 >> >> --- a

Re: [PATCHv2 2/2] userns: control capabilities of some user namespaces

2017-11-28 Thread महेश बंडेवार
On Sat, Nov 25, 2017 at 10:40 PM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (mah...@bandewar.net): >> From: Mahesh Bandewar >> >> With this new notion of "controlled" user-namespaces, the controlled >> user-namespaces are marked at the time of their creation while the >> capabilities of pr

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

2017-11-09 Thread महेश बंडेवार
On Fri, Nov 10, 2017 at 1:46 PM, Serge E. Hallyn wrote: > Quoting Eric W. Biederman (ebied...@xmission.com): >> single sandbox. I am not at all certain that the capabilities is the >> proper place to limit code reachability. > > Right, I keep having this gut feeling that there is another way we >

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2017-11-09 Thread महेश बंडेवार
On Fri, Nov 10, 2017 at 1:30 PM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): > ... >> >> >> >> == >> >> >> >> +controlled_userns_caps_whitel

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

2017-11-09 Thread महेश बंडेवार
On Fri, Nov 10, 2017 at 6:58 AM, Eric W. Biederman wrote: > "Mahesh Bandewar (महेश बंडेवार)" writes: > >> [resend response as earlier one failed because of formatting issues] >> >> On Thu, Nov 9, 2017 at 12:21 PM, Serge E. Hallyn wrote: >>> >>&

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2017-11-09 Thread महेश बंडेवार
On Fri, Nov 10, 2017 at 2:30 AM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (mah...@bandewar.net): >> From: Mahesh Bandewar >> >> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This > > I understand the arguments in favor of whitelists in most cases for > security purposes.

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2017-11-09 Thread महेश बंडेवार
On Fri, Nov 10, 2017 at 2:22 AM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (mah...@bandewar.net): >> From: Mahesh Bandewar >> >> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This >> takes input as capability mask expressed as two comma separated hex >> u32 words. The mask

Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

2017-11-09 Thread महेश बंडेवार
On Fri, Nov 10, 2017 at 2:25 AM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (mah...@bandewar.net): >> From: Mahesh Bandewar >> >> With this new notion of "controlled" user-namespaces, the controlled >> user-namespaces are marked at the time of their creation while the >> capabilities of pro

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

2017-11-08 Thread महेश बंडेवार
[resend response as earlier one failed because of formatting issues] On Thu, Nov 9, 2017 at 12:21 PM, Serge E. Hallyn wrote: > > On Thu, Nov 09, 2017 at 09:55:41AM +0900, Mahesh Bandewar (महेश बंडेवार) > wrote: > > On Thu, Nov 9, 2017 at 4:02 AM, Christian Brauner > > wro

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

2017-11-08 Thread महेश बंडेवार
On Thu, Nov 9, 2017 at 4:02 AM, Christian Brauner wrote: > On Wed, Nov 08, 2017 at 03:09:59AM -0800, Mahesh Bandewar (महेश बंडेवार) > wrote: >> Sorry folks I was traveling and seems like lot happened on this thread. :p >> >> I will try to response few of these comments s

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

2017-11-08 Thread महेश बंडेवार
Sorry folks I was traveling and seems like lot happened on this thread. :p I will try to response few of these comments selectively - > The thing that makes me hesitate with this set is that it is a > permanent new feature to address what (I hope) is a temporary > problem. I agree this is permane

Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

2017-11-05 Thread महेश बंडेवार
On Sat, Nov 4, 2017 at 4:53 PM, Serge E. Hallyn wrote: > > Quoting Mahesh Bandewar (mah...@bandewar.net): > > Init-user-ns is always uncontrolled and a process that has SYS_ADMIN > > that belongs to uncontrolled user-ns can create another (child) user- > > namespace that is uncontrolled. Any other

Re: [kernel-hardening] [PATCH 0/2] capability controlled user-namespaces

2017-10-19 Thread महेश बंडेवार
On Mon, Oct 2, 2017 at 11:12 AM, Mahesh Bandewar (महेश बंडेवार) wrote: > On Mon, Oct 2, 2017 at 10:14 AM, Serge E. Hallyn wrote: >> Quoting Mahesh Bandewar (mah...@bandewar.net): >>> From: Mahesh Bandewar >>> >>> [Same as the previous RFC series

Re: [kernel-hardening] [PATCH 0/2] capability controlled user-namespaces

2017-10-02 Thread महेश बंडेवार
On Mon, Oct 2, 2017 at 10:14 AM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (mah...@bandewar.net): >> From: Mahesh Bandewar >> >> [Same as the previous RFC series sent on 9/21] >> >> TL;DR version >> - >> Creating a sandbox environment with namespaces is challenging >> consideri

Re: [PATCH] net: bonding: Fix transmit load balancing in balance-alb mode if specified by sysfs

2017-09-11 Thread महेश बंडेवार
On Sat, Sep 9, 2017 at 4:28 AM, Nikolay Aleksandrov wrote: > On 07/09/17 01:47, Kosuke Tatsukawa wrote: >> Commit cbf5ecb30560 ("net: bonding: Fix transmit load balancing in >> balance-alb mode") tried to fix transmit dynamic load balancing in >> balance-alb mode, which wasn't working after commit

Re: [PATCH] net: bonding: Fix transmit load balancing in balance-alb mode if specified by sysfs

2017-09-08 Thread महेश बंडेवार
On Fri, Sep 8, 2017 at 7:30 AM, Nikolay Aleksandrov wrote: > On 08/09/17 17:17, Kosuke Tatsukawa wrote: >> Hi, >> >>> On 08/09/17 13:10, Nikolay Aleksandrov wrote: On 08/09/17 05:06, Kosuke Tatsukawa wrote: > Hi, > >> On 7.09.2017 01:47, Kosuke Tatsukawa wrote: >>> Commit cbf

Re: [PATCH] net: bonding: Fix transmit load balancing in balance-alb mode if specified by sysfs

2017-09-07 Thread महेश बंडेवार
On Thu, Sep 7, 2017 at 5:47 PM, Mahesh Bandewar (महेश बंडेवार) wrote: > On Thu, Sep 7, 2017 at 5:39 PM, Mahesh Bandewar (महेश बंडेवार) > wrote: >> On Thu, Sep 7, 2017 at 4:09 PM, Nikolay Aleksandrov >> wrote: >>> On 7.09.2017 01:47, Kosuke Tatsukawa wrote: >

Re: [PATCH] net: bonding: Fix transmit load balancing in balance-alb mode if specified by sysfs

2017-09-07 Thread महेश बंडेवार
On Thu, Sep 7, 2017 at 5:39 PM, Mahesh Bandewar (महेश बंडेवार) wrote: > On Thu, Sep 7, 2017 at 4:09 PM, Nikolay Aleksandrov > wrote: >> On 7.09.2017 01:47, Kosuke Tatsukawa wrote: >>> Commit cbf5ecb30560 ("net: bonding: Fix transmit load balancing in >>> balan

Re: [PATCH] net: bonding: Fix transmit load balancing in balance-alb mode if specified by sysfs

2017-09-07 Thread महेश बंडेवार
On Thu, Sep 7, 2017 at 4:09 PM, Nikolay Aleksandrov wrote: > On 7.09.2017 01:47, Kosuke Tatsukawa wrote: >> Commit cbf5ecb30560 ("net: bonding: Fix transmit load balancing in >> balance-alb mode") tried to fix transmit dynamic load balancing in >> balance-alb mode, which wasn't working after comm

Re: [PATCH net] bonding: fix randomly populated arp target array

2017-05-19 Thread महेश बंडेवार
On Fri, May 19, 2017 at 11:46 AM, Jarod Wilson wrote: > In commit dc9c4d0fe023, the arp_target array moved from a static global > to a local variable. By the nature of static globals, the array used to > be initialized to all 0. At present, it's full of random data, which > that gets interpreted a

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

2017-05-15 Thread महेश बंडेवार
On Mon, May 15, 2017 at 6:52 AM, David Miller wrote: > From: Greg Kroah-Hartman > Date: Mon, 15 May 2017 08:10:59 +0200 > >> On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote: >>> Greg Kroah-Hartman writes: >>> >>> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c >>> inde

Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE

2017-05-14 Thread महेश बंडेवार
On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman wrote: > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote: >> From: Mahesh Bandewar >> [...] >> Now try to create a bridge inside this newly created net-ns which would >> mean bridge module need to be loaded. >> # ip link ad

Re: [PATCHv1 7/7] IPVTAP: IP-VLAN based tap driver

2017-01-06 Thread महेश बंडेवार
few superficial comments inline. On Fri, Jan 6, 2017 at 2:33 PM, Sainath Grandhi wrote: > This patch adds a tap character device driver that is based on the > IP-VLAN network interface, called ipvtap. An ipvtap device can be created > in the same way as an ipvlan device, using 'type ipvtap', and