On Fri, Aug 14, 2015 at 08:52:05AM -0400, [email protected] wrote: > Some tests with namespace have been performed: > 1. An unprivileged user cannot bind to the RDMA_NL_GROUP_LS multicast > group; > 2. An unprivileged user cannot create a new network namespace. However, > it can create a new user namespace together with a new network > namespace by using clone() with CLONE_NEWUSER | CLONE_NEWNET flags; > 3. In the user and network namespaces created by an unprivileged user, > the user can be mapped into root and thus be able to bind to the > RDMA_NL_GROUP_LS multicast group. However, it can neither send > requests to the kernel RDMA netlink code nor receive requests from > it. This is because kernel RDMA netlink code associates itself with > the init_net network namespace, which in turn associates itself with > init_user_ns namespace.
Haggie, how does this coverage match your expectations with your namespace series? Kaike, how does #3 work? If I create a user namespace and try to bind it succeeds to userspace but ibnl_chk_listeners still returns false in the kernel? Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
