On Mon, Aug 10, 2015 at 05:58:30PM -0400, ira.weiny wrote: > Furthermore, the check in netlink_bind also uses the socket namespace to > restrict the use of multicast. This plus my checks should allow an admin to > place the SA proxy (ibacm in our test cases) in an alternate network namespace > if they so desire. But this is independent to the namespace which may be used > for data applications.
I think Haggai is on to something, there is certainly a problem here, that netlink_bind will let a namespace subscribe is a certainly a problem for what Haggai is working on. For now, I think, only root (or CAP_ whatever) in the init namespace should have access to this feature. Not sure how to check that. Even allowing a namespace to subscribe is problematic because it will cause timeouts to hit.. Not sure what to do about that.. Also, why the incremental patch? The original isn't ready for mainline without the message validation stuff.. Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
