[EMAIL PROTECTED] wrote:
On Fri, 26 Jan 2007 11:36:48 +0100, Daniel Lezcano said:
+ if (net_ns->level == NET_NS_LEVEL3 &&
I checked all the source trees I have online (2.6.19-rc6-mm2,
2.6.20-rc[1-4]-mm1)
and am not seeing any definition of this NET_NS_LEVEL3. Without knowing what
that is supposed to be doing, it's very hard to evaluate this patch.
Is this an add-on for some out-of-tree patch I didn't notice?
Yes, sorry I forgot to mention. It is a work which is done for
implementing lightweight containers, the full patchset is at :
http://www.sr71.net/patches/2.6.20/2.6.20-rc4-mm1-lxc4/
The basic idea is we have different levels of network virtualization,
level 2 and level 3. The level 2 is stronger in terms of virtualization
and isolation but with some drawbacks in terms of performances and
administration stuff, so we wanted to add a light network virtualization
which acts at the level 3, that is to say at the IP level, like
Linux-Vserver does. The concern with security is when we create this
light virtualization we want to lose the CAP_NET_ADMIN in order to have
each process, running into the network isolation level 3, unable to do
any kind of IP administration, either it has root privilege or not.
The current->nsproxy->net_ns->level gives the level of this network
virtualization - NET_NS_LEVEL2 and NET_NS_LEVEL3. When a process has a
network virtualization NET_NS_LEVEL3, the capable(CAP_NET_ADMIN) returns
always -EPERM
Thanks.
-- Daniel
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
