[PATCH] net/bluetooth: make bluetooth socket can be created in net namespace

[PATCH] net/bluetooth: make bluetooth socket can be created in net namespace

[fupan.li]

From: Fupan Li <fupan.li@windriver.com>

By now kernel only supported creating bluetooth socket in init_net
net namespace, which made bluetooth device cannot be accessed in
containers, this patch made bluetooth socket can be created in
net namespaces to fix this issue.

Signed-off-by: Fupan Li <fupan.li@windriver.com>
---
 net/bluetooth/af_bluetooth.c | 2 +-
 net/bluetooth/bnep/sock.c    | 4 ++--
 net/bluetooth/cmtp/sock.c    | 4 ++--
 net/bluetooth/hci_sock.c     | 4 ++--
 net/bluetooth/hidp/sock.c    | 4 ++--
 net/bluetooth/l2cap_sock.c   | 4 ++--
 net/bluetooth/rfcomm/core.c  | 2 +-
 net/bluetooth/rfcomm/sock.c  | 4 ++--
 net/bluetooth/sco.c          | 4 ++--
 9 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 91e3ba280706..eec5ac17faee 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -113,7 +113,7 @@ static int bt_sock_create(struct net *net, struct socket *sock, int proto,
 {
 	int err;
 
-	if (net != &init_net)
+	if (!net_eq(net, current->nsproxy->net_ns)) 
 		return -EAFNOSUPPORT;
 
 	if (proto < 0 || proto >= BT_MAX_PROTO)
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index b5116fa9835e..742b8626ebcd 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -241,7 +241,7 @@ int __init bnep_sock_init(void)
 		goto error;
 	}
 
-	err = bt_procfs_init(&init_net, "bnep", &bnep_sk_list, NULL);
+	err = bt_procfs_init(current->nsproxy->net_ns, "bnep", &bnep_sk_list, NULL);
 	if (err < 0) {
 		BT_ERR("Failed to create BNEP proc file");
 		bt_sock_unregister(BTPROTO_BNEP);
@@ -259,7 +259,7 @@ int __init bnep_sock_init(void)
 
 void __exit bnep_sock_cleanup(void)
 {
-	bt_procfs_cleanup(&init_net, "bnep");
+	bt_procfs_cleanup(current->nsproxy->net_ns, "bnep");
 	bt_sock_unregister(BTPROTO_BNEP);
 	proto_unregister(&bnep_proto);
 }
diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c
index ce86a7bae844..d3d608489219 100644
--- a/net/bluetooth/cmtp/sock.c
+++ b/net/bluetooth/cmtp/sock.c
@@ -245,7 +245,7 @@ int cmtp_init_sockets(void)
 		goto error;
 	}
 
-	err = bt_procfs_init(&init_net, "cmtp", &cmtp_sk_list, NULL);
+	err = bt_procfs_init(current->nsproxy->net_ns, "cmtp", &cmtp_sk_list, NULL);
 	if (err < 0) {
 		BT_ERR("Failed to create CMTP proc file");
 		bt_sock_unregister(BTPROTO_HIDP);
@@ -263,7 +263,7 @@ int cmtp_init_sockets(void)
 
 void cmtp_cleanup_sockets(void)
 {
-	bt_procfs_cleanup(&init_net, "cmtp");
+	bt_procfs_cleanup(current->nsproxy->net_ns, "cmtp");
 	bt_sock_unregister(BTPROTO_CMTP);
 	proto_unregister(&cmtp_proto);
 }
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 65d734c165bd..549c6c1f273c 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -2038,7 +2038,7 @@ int __init hci_sock_init(void)
 		goto error;
 	}
 
-	err = bt_procfs_init(&init_net, "hci", &hci_sk_list, NULL);
+	err = bt_procfs_init(current->nsproxy->net_ns, "hci", &hci_sk_list, NULL);
 	if (err < 0) {
 		BT_ERR("Failed to create HCI proc file");
 		bt_sock_unregister(BTPROTO_HCI);
@@ -2056,7 +2056,7 @@ int __init hci_sock_init(void)
 
 void hci_sock_cleanup(void)
 {
-	bt_procfs_cleanup(&init_net, "hci");
+	bt_procfs_cleanup(current->nsproxy->net_ns, "hci");
 	bt_sock_unregister(BTPROTO_HCI);
 	proto_unregister(&hci_sk_proto);
 }
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 008ba439bd62..19d4e9a40905 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -275,7 +275,7 @@ int __init hidp_init_sockets(void)
 		goto error;
 	}
 
-	err = bt_procfs_init(&init_net, "hidp", &hidp_sk_list, NULL);
+	err = bt_procfs_init(current->nsproxy->net_ns, "hidp", &hidp_sk_list, NULL);
 	if (err < 0) {
 		BT_ERR("Failed to create HIDP proc file");
 		bt_sock_unregister(BTPROTO_HIDP);
@@ -293,7 +293,7 @@ int __init hidp_init_sockets(void)
 
 void __exit hidp_cleanup_sockets(void)
 {
-	bt_procfs_cleanup(&init_net, "hidp");
+	bt_procfs_cleanup(current->nsproxy->net_ns, "hidp");
 	bt_sock_unregister(BTPROTO_HIDP);
 	proto_unregister(&hidp_proto);
 }
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 67a8642f57ea..404bb1046c9c 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1685,7 +1685,7 @@ int __init l2cap_init_sockets(void)
 		goto error;
 	}
 
-	err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list,
+	err = bt_procfs_init(current->nsproxy->net_ns, "l2cap", &l2cap_sk_list,
 			     NULL);
 	if (err < 0) {
 		BT_ERR("Failed to create L2CAP proc file");
@@ -1704,7 +1704,7 @@ int __init l2cap_init_sockets(void)
 
 void l2cap_cleanup_sockets(void)
 {
-	bt_procfs_cleanup(&init_net, "l2cap");
+	bt_procfs_cleanup(current->nsproxy->net_ns, "l2cap");
 	bt_sock_unregister(BTPROTO_L2CAP);
 	proto_unregister(&l2cap_proto);
 }
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 4a0b41d75c84..b02e6203bb9a 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -200,7 +200,7 @@ static int rfcomm_l2sock_create(struct socket **sock)
 
 	BT_DBG("");
 
-	err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
+	err = sock_create_kern(current->nsproxy->net_ns, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
 	if (!err) {
 		struct sock *sk = (*sock)->sk;
 		sk->sk_data_ready   = rfcomm_l2data_ready;
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 1aaccf637479..780146c642b0 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -1076,7 +1076,7 @@ int __init rfcomm_init_sockets(void)
 		goto error;
 	}
 
-	err = bt_procfs_init(&init_net, "rfcomm", &rfcomm_sk_list, NULL);
+	err = bt_procfs_init(current->nsproxy->net_ns, "rfcomm", &rfcomm_sk_list, NULL);
 	if (err < 0) {
 		BT_ERR("Failed to create RFCOMM proc file");
 		bt_sock_unregister(BTPROTO_RFCOMM);
@@ -1101,7 +1101,7 @@ int __init rfcomm_init_sockets(void)
 
 void __exit rfcomm_cleanup_sockets(void)
 {
-	bt_procfs_cleanup(&init_net, "rfcomm");
+	bt_procfs_cleanup(current->nsproxy->net_ns, "rfcomm");
 
 	debugfs_remove(rfcomm_sock_debugfs);
 
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 795e920a3281..0c9dcc2a6009 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -1229,7 +1229,7 @@ int __init sco_init(void)
 		goto error;
 	}
 
-	err = bt_procfs_init(&init_net, "sco", &sco_sk_list, NULL);
+	err = bt_procfs_init(current->nsproxy->net_ns, "sco", &sco_sk_list, NULL);
 	if (err < 0) {
 		BT_ERR("Failed to create SCO proc file");
 		bt_sock_unregister(BTPROTO_SCO);
@@ -1255,7 +1255,7 @@ int __init sco_init(void)
 
 void sco_exit(void)
 {
-	bt_procfs_cleanup(&init_net, "sco");
+	bt_procfs_cleanup(current->nsproxy->net_ns, "sco");	
 
 	debugfs_remove(sco_debugfs);
 
-- 
2.11.0

Re: [PATCH] net/bluetooth: make bluetooth socket can be created in net namespace

[Marcel Holtmann]

Hi Fupan,

> By now kernel only supported creating bluetooth socket in init_net
> net namespace, which made bluetooth device cannot be accessed in
> containers, this patch made bluetooth socket can be created in
> net namespaces to fix this issue.
> 
> Signed-off-by: Fupan Li <fupan.li@windriver.com>
> ---
> net/bluetooth/af_bluetooth.c | 2 +-
> net/bluetooth/bnep/sock.c    | 4 ++--
> net/bluetooth/cmtp/sock.c    | 4 ++--
> net/bluetooth/hci_sock.c     | 4 ++--
> net/bluetooth/hidp/sock.c    | 4 ++--
> net/bluetooth/l2cap_sock.c   | 4 ++--
> net/bluetooth/rfcomm/core.c  | 2 +-
> net/bluetooth/rfcomm/sock.c  | 4 ++--
> net/bluetooth/sco.c          | 4 ++--
> 9 files changed, 16 insertions(+), 16 deletions(-)
> 
> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> index 91e3ba280706..eec5ac17faee 100644
> --- a/net/bluetooth/af_bluetooth.c
> +++ b/net/bluetooth/af_bluetooth.c
> @@ -113,7 +113,7 @@ static int bt_sock_create(struct net *net, struct socket *sock, int proto,
> {
> 	int err;
> 
> -	if (net != &init_net)
> +	if (!net_eq(net, current->nsproxy->net_ns)) 
> 		return -EAFNOSUPPORT;

before I apply such a patch, what is the actual change here. What impact does this have? Are things like Bluetooth mgmt sockets still operating correctly after this? We have no support for move a Bluetooth controller into a container. The Bluetooth hardware is global.

Regards

Marcel

Re: [PATCH] net/bluetooth: make bluetooth socket can be created in net namespace

[fupan]

On 2017/8/14 17:30, Marcel Holtmann wrote:
> Hi Fupan,
>
>> By now kernel only supported creating bluetooth socket in init_net
>> net namespace, which made bluetooth device cannot be accessed in
>> containers, this patch made bluetooth socket can be created in
>> net namespaces to fix this issue.
>>
>> Signed-off-by: Fupan Li <fupan.li@windriver.com>
>> ---
>> net/bluetooth/af_bluetooth.c | 2 +-
>> net/bluetooth/bnep/sock.c    | 4 ++--
>> net/bluetooth/cmtp/sock.c    | 4 ++--
>> net/bluetooth/hci_sock.c     | 4 ++--
>> net/bluetooth/hidp/sock.c    | 4 ++--
>> net/bluetooth/l2cap_sock.c   | 4 ++--
>> net/bluetooth/rfcomm/core.c  | 2 +-
>> net/bluetooth/rfcomm/sock.c  | 4 ++--
>> net/bluetooth/sco.c          | 4 ++--
>> 9 files changed, 16 insertions(+), 16 deletions(-)
>>
>> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
>> index 91e3ba280706..eec5ac17faee 100644
>> --- a/net/bluetooth/af_bluetooth.c
>> +++ b/net/bluetooth/af_bluetooth.c
>> @@ -113,7 +113,7 @@ static int bt_sock_create(struct net *net, struct socket *sock, int proto,
>> {
>> 	int err;
>>
>> -	if (net != &init_net)
>> +	if (!net_eq(net, current->nsproxy->net_ns))
>> 		return -EAFNOSUPPORT;
> before I apply such a patch, what is the actual change here. What impact does this have? Are things like Bluetooth mgmt sockets still operating correctly after this? We have no support for move a Bluetooth controller into a container. The Bluetooth hardware is global.
Hi， Marcel

This patch hasn't nothing to do with the Bluetooth hardware, the 
hardware is still global.
But before you apply this patch, you cannot access the bluetooth 
hardware in a container,
since you cannot create a bluetooth socket if you are not in the 
init_net namespace.
After applying this patch, you can access the bluetooth hardware both in 
the init_net namespace
and containers.


Fupan
>
> Regards
>
> Marcel
>
>

Re: [PATCH] net/bluetooth: make bluetooth socket can be created in net namespace

[Szymon Janc]

Hi,

On 14 August 2017 at 11:45, fupan <fupan.li@windriver.com> wrote:
> On 2017/8/14 17:30, Marcel Holtmann wrote:
>>
>> Hi Fupan,
>>
>>> By now kernel only supported creating bluetooth socket in init_net
>>> net namespace, which made bluetooth device cannot be accessed in
>>> containers, this patch made bluetooth socket can be created in
>>> net namespaces to fix this issue.
>>>
>>> Signed-off-by: Fupan Li <fupan.li@windriver.com>
>>> ---
>>> net/bluetooth/af_bluetooth.c | 2 +-
>>> net/bluetooth/bnep/sock.c    | 4 ++--
>>> net/bluetooth/cmtp/sock.c    | 4 ++--
>>> net/bluetooth/hci_sock.c     | 4 ++--
>>> net/bluetooth/hidp/sock.c    | 4 ++--
>>> net/bluetooth/l2cap_sock.c   | 4 ++--
>>> net/bluetooth/rfcomm/core.c  | 2 +-
>>> net/bluetooth/rfcomm/sock.c  | 4 ++--
>>> net/bluetooth/sco.c          | 4 ++--
>>> 9 files changed, 16 insertions(+), 16 deletions(-)
>>>
>>> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
>>> index 91e3ba280706..eec5ac17faee 100644
>>> --- a/net/bluetooth/af_bluetooth.c
>>> +++ b/net/bluetooth/af_bluetooth.c
>>> @@ -113,7 +113,7 @@ static int bt_sock_create(struct net *net, struct
>>> socket *sock, int proto,
>>> {
>>>         int err;
>>>
>>> -       if (net != &init_net)
>>> +       if (!net_eq(net, current->nsproxy->net_ns))
>>>                 return -EAFNOSUPPORT;
>>
>> before I apply such a patch, what is the actual change here. What impact
>> does this have? Are things like Bluetooth mgmt sockets still operating
>> correctly after this? We have no support for move a Bluetooth controller
>> into a container. The Bluetooth hardware is global.
>
> Hi， Marcel
>
> This patch hasn't nothing to do with the Bluetooth hardware, the hardware is
> still global.
> But before you apply this patch, you cannot access the bluetooth hardware in
> a container,
> since you cannot create a bluetooth socket if you are not in the init_net
> namespace.
> After applying this patch, you can access the bluetooth hardware both in the
> init_net namespace
> and containers.

Does this mean one could sniff BT traffic from container? Or control
BT hw from multiple containers?

-- 
pozdrawiam
Szymon K. Janc

Re: [PATCH] net/bluetooth: make bluetooth socket can be created in net namespace

[Szymon Janc]

Hi,

On 14 August 2017 at 11:45, fupan <fupan.li@windriver.com> wrote:
> On 2017/8/14 17:30, Marcel Holtmann wrote:
>>
>> Hi Fupan,
>>
>>> By now kernel only supported creating bluetooth socket in init_net
>>> net namespace, which made bluetooth device cannot be accessed in
>>> containers, this patch made bluetooth socket can be created in
>>> net namespaces to fix this issue.
>>>
>>> Signed-off-by: Fupan Li <fupan.li@windriver.com>
>>> ---
>>> net/bluetooth/af_bluetooth.c | 2 +-
>>> net/bluetooth/bnep/sock.c    | 4 ++--
>>> net/bluetooth/cmtp/sock.c    | 4 ++--
>>> net/bluetooth/hci_sock.c     | 4 ++--
>>> net/bluetooth/hidp/sock.c    | 4 ++--
>>> net/bluetooth/l2cap_sock.c   | 4 ++--
>>> net/bluetooth/rfcomm/core.c  | 2 +-
>>> net/bluetooth/rfcomm/sock.c  | 4 ++--
>>> net/bluetooth/sco.c          | 4 ++--
>>> 9 files changed, 16 insertions(+), 16 deletions(-)
>>>
>>> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.=
c
>>> index 91e3ba280706..eec5ac17faee 100644
>>> --- a/net/bluetooth/af_bluetooth.c
>>> +++ b/net/bluetooth/af_bluetooth.c
>>> @@ -113,7 +113,7 @@ static int bt_sock_create(struct net *net, struct
>>> socket *sock, int proto,
>>> {
>>>         int err;
>>>
>>> -       if (net !=3D &init_net)
>>> +       if (!net_eq(net, current->nsproxy->net_ns))
>>>                 return -EAFNOSUPPORT;
>>
>> before I apply such a patch, what is the actual change here. What impact
>> does this have? Are things like Bluetooth mgmt sockets still operating
>> correctly after this? We have no support for move a Bluetooth controller
>> into a container. The Bluetooth hardware is global.
>
> Hi=EF=BC=8C Marcel
>
> This patch hasn't nothing to do with the Bluetooth hardware, the hardware=
 is
> still global.
> But before you apply this patch, you cannot access the bluetooth hardware=
 in
> a container,
> since you cannot create a bluetooth socket if you are not in the init_net
> namespace.
> After applying this patch, you can access the bluetooth hardware both in =
the
> init_net namespace
> and containers.

Does this mean one could sniff BT traffic from container? Or control
BT hw from multiple containers?

--=20
pozdrawiam
Szymon K. Janc

Re: [PATCH] net/bluetooth: make bluetooth socket can be created in net namespace

[Marcel Holtmann]

Hi Szymon,

>>>> By now kernel only supported creating bluetooth socket in init_net
>>>> net namespace, which made bluetooth device cannot be accessed in
>>>> containers, this patch made bluetooth socket can be created in
>>>> net namespaces to fix this issue.
>>>> 
>>>> Signed-off-by: Fupan Li <fupan.li@windriver.com>
>>>> ---
>>>> net/bluetooth/af_bluetooth.c | 2 +-
>>>> net/bluetooth/bnep/sock.c    | 4 ++--
>>>> net/bluetooth/cmtp/sock.c    | 4 ++--
>>>> net/bluetooth/hci_sock.c     | 4 ++--
>>>> net/bluetooth/hidp/sock.c    | 4 ++--
>>>> net/bluetooth/l2cap_sock.c   | 4 ++--
>>>> net/bluetooth/rfcomm/core.c  | 2 +-
>>>> net/bluetooth/rfcomm/sock.c  | 4 ++--
>>>> net/bluetooth/sco.c          | 4 ++--
>>>> 9 files changed, 16 insertions(+), 16 deletions(-)
>>>> 
>>>> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
>>>> index 91e3ba280706..eec5ac17faee 100644
>>>> --- a/net/bluetooth/af_bluetooth.c
>>>> +++ b/net/bluetooth/af_bluetooth.c
>>>> @@ -113,7 +113,7 @@ static int bt_sock_create(struct net *net, struct
>>>> socket *sock, int proto,
>>>> {
>>>>        int err;
>>>> 
>>>> -       if (net != &init_net)
>>>> +       if (!net_eq(net, current->nsproxy->net_ns))
>>>>                return -EAFNOSUPPORT;
>>> 
>>> before I apply such a patch, what is the actual change here. What impact
>>> does this have? Are things like Bluetooth mgmt sockets still operating
>>> correctly after this? We have no support for move a Bluetooth controller
>>> into a container. The Bluetooth hardware is global.
>> 
>> Hi， Marcel
>> 
>> This patch hasn't nothing to do with the Bluetooth hardware, the hardware is
>> still global.
>> But before you apply this patch, you cannot access the bluetooth hardware in
>> a container,
>> since you cannot create a bluetooth socket if you are not in the init_net
>> namespace.
>> After applying this patch, you can access the bluetooth hardware both in the
>> init_net namespace
>> and containers.
> 
> Does this mean one could sniff BT traffic from container? Or control
> BT hw from multiple containers?

from how I read the change, then yes, the container could start another bluetoothd or btmon. As long as you use an user namespace and gain CAP_NET_ADMIN and CAP_NET_RAW privileges.

I am actually not convinced we really want this. More useful seems the fact to create a virtual child hciX controller that then can be moved into container. It would use the parent hciX controller as real hardware. However this most likely only works for BLE since with BR/EDR this is rather complicated and there are actual role limits.

Regards

Marcel

Re: [PATCH] net/bluetooth: make bluetooth socket can be created in net namespace

[fupan]

On 2017/8/14 23:59, Marcel Holtmann wrote:
> Hi Szymon,
>
>>>>> By now kernel only supported creating bluetooth socket in init_net
>>>>> net namespace, which made bluetooth device cannot be accessed in
>>>>> containers, this patch made bluetooth socket can be created in
>>>>> net namespaces to fix this issue.
>>>>>
>>>>> Signed-off-by: Fupan Li <fupan.li@windriver.com>
>>>>> ---
>>>>> net/bluetooth/af_bluetooth.c | 2 +-
>>>>> net/bluetooth/bnep/sock.c    | 4 ++--
>>>>> net/bluetooth/cmtp/sock.c    | 4 ++--
>>>>> net/bluetooth/hci_sock.c     | 4 ++--
>>>>> net/bluetooth/hidp/sock.c    | 4 ++--
>>>>> net/bluetooth/l2cap_sock.c   | 4 ++--
>>>>> net/bluetooth/rfcomm/core.c  | 2 +-
>>>>> net/bluetooth/rfcomm/sock.c  | 4 ++--
>>>>> net/bluetooth/sco.c          | 4 ++--
>>>>> 9 files changed, 16 insertions(+), 16 deletions(-)
>>>>>
>>>>> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
>>>>> index 91e3ba280706..eec5ac17faee 100644
>>>>> --- a/net/bluetooth/af_bluetooth.c
>>>>> +++ b/net/bluetooth/af_bluetooth.c
>>>>> @@ -113,7 +113,7 @@ static int bt_sock_create(struct net *net, struct
>>>>> socket *sock, int proto,
>>>>> {
>>>>>         int err;
>>>>>
>>>>> -       if (net != &init_net)
>>>>> +       if (!net_eq(net, current->nsproxy->net_ns))
>>>>>                 return -EAFNOSUPPORT;
>>>> before I apply such a patch, what is the actual change here. What impact
>>>> does this have? Are things like Bluetooth mgmt sockets still operating
>>>> correctly after this? We have no support for move a Bluetooth controller
>>>> into a container. The Bluetooth hardware is global.
>>> Hi， Marcel
>>>
>>> This patch hasn't nothing to do with the Bluetooth hardware, the hardware is
>>> still global.
>>> But before you apply this patch, you cannot access the bluetooth hardware in
>>> a container,
>>> since you cannot create a bluetooth socket if you are not in the init_net
>>> namespace.
>>> After applying this patch, you can access the bluetooth hardware both in the
>>> init_net namespace
>>> and containers.
>> Does this mean one could sniff BT traffic from container? Or control
>> BT hw from multiple containers?
> from how I read the change, then yes, the container could start another bluetoothd or btmon. As long as you use an user namespace and gain CAP_NET_ADMIN and CAP_NET_RAW privileges.
Hi, Marcel

Yes, you are right. Actually the reason we want this patch is that in 
our embedded container OS we want to
put all of the hardware control rights into a privilege container, just 
as Xen's dom0 role.

Thus we can thin our essential rootfs as small as possible and 
containerlized all of the Apps.

Thanks!

Fupan
> I am actually not convinced we really want this. More useful seems the fact to create a virtual child hciX controller that then can be moved into container. It would use the parent hciX controller as real hardware. However this most likely only works for BLE since with BR/EDR this is rather complicated and there are actual role limits.
>
> Regards
>
> Marcel
>
>