Eric W. Biederman wrote:
> If loading the conntrack module changes the semantics of packet
> processing when nothing is configured that is a bug in the conntrack
> module.
Thats the default behaviour since forever.
modprobe nf_conntrack_ipv4 -- module_init registers netfilter hooks
and starts do
"Mahesh Bandewar (महेश बंडेवार)" writes:
> On Mon, May 15, 2017 at 6:52 AM, David Miller wrote:
>> From: Greg Kroah-Hartman
>> Date: Mon, 15 May 2017 08:10:59 +0200
>>
>>> On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote:
Greg Kroah-Hartman writes:
diff --git a/
From: Mahesh Bandewar (महेश बंडेवार)
Date: Mon, 15 May 2017 10:59:55 -0700
> The current behavior is already breaking things. e.g. unprivileged
> process can be root inside it's own user-ns. This will allow it to
> create IPtable rules causing contracking module to be loaded in
> default-ns affec
On Mon, May 15, 2017 at 6:52 AM, David Miller wrote:
> From: Greg Kroah-Hartman
> Date: Mon, 15 May 2017 08:10:59 +0200
>
>> On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote:
>>> Greg Kroah-Hartman writes:
>>>
>>> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
>>> inde
On Mon, May 15, 2017 at 6:12 AM, Eric Dumazet wrote:
> On Sun, May 14, 2017 at 7:42 PM, Mahesh Bandewar (महेश बंडेवार)
> wrote:
>> On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman
>> wrote:
>>> On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote:
From: Mahesh Bandewar
>
From: Greg Kroah-Hartman
Date: Mon, 15 May 2017 08:10:59 +0200
> On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote:
>> Greg Kroah-Hartman writes:
>>
>> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
>> index bcb0f610ee42..6b72528a4636 100644
>> --- a/net/core/rtnetlink
From: Mahesh Bandewar (महेश बंडेवार)
Date: Sun, 14 May 2017 19:42:08 -0700
> Any module when loaded gets loaded system-wide as we can't allow
> module loading per-ns. To validate the behavior I was comparing it
> with insmod/modprobe, if that doesn't allow because of lack of this
> capability in
On Sun, May 14, 2017 at 7:42 PM, Mahesh Bandewar (महेश बंडेवार)
wrote:
> On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman
> wrote:
>> On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote:
>>> From: Mahesh Bandewar
>>>
> [...]
>>> Now try to create a bridge inside this newly creat
On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote:
> Greg Kroah-Hartman writes:
>
> > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote:
> >> From: Mahesh Bandewar
> >>
> >> A process inside random user-ns should not load a module, which is
> >> currently possible.
On Sun, May 14, 2017 at 07:42:08PM -0700, Mahesh Bandewar (महेश बंडेवार) wrote:
> On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman
> wrote:
> > On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote:
> >> From: Mahesh Bandewar
> >>
> [...]
> >> Now try to create a bridge inside this
On Sun, May 14, 2017 at 3:45 AM, Greg Kroah-Hartman
wrote:
> On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote:
>> From: Mahesh Bandewar
>>
[...]
>> Now try to create a bridge inside this newly created net-ns which would
>> mean bridge module need to be loaded.
>> # ip link ad
Greg Kroah-Hartman writes:
> On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote:
>> From: Mahesh Bandewar
>>
>> A process inside random user-ns should not load a module, which is
>> currently possible. As demonstrated in following scenario -
>>
>> Create namespaces; especially a
On Fri, May 12, 2017 at 04:22:59PM -0700, Mahesh Bandewar wrote:
> From: Mahesh Bandewar
>
> A process inside random user-ns should not load a module, which is
> currently possible. As demonstrated in following scenario -
>
> Create namespaces; especially a user-ns and become root inside.
>
From: Mahesh Bandewar
A process inside random user-ns should not load a module, which is
currently possible. As demonstrated in following scenario -
Create namespaces; especially a user-ns and become root inside.
$ unshare -rfUp -- unshare -unm -- bash
Try to load the bridge module. It sh
14 matches
Mail list logo
