LKML Archive on
 help / color / Atom feed
From: Dmitry Torokhov <>
To: Christian Brauner <>
Cc: "Eric W. Biederman" <>,
	"David S. Miller" <>,
	netdev <>,
	lkml <>,,,
	"Serge E. Hallyn" <>,
	Greg Kroah-Hartman <>
Subject: Re: [PATCH net-next 2/2 v5] netns: restrict uevents
Date: Sun, 16 Jun 2019 10:14:32 -0700
Message-ID: <> (raw)
In-Reply-To: <>

Hi Christian,

On Sun, Jun 16, 2019 at 9:50 AM Christian Brauner
<> wrote:
> Hey Dmitry,
> Crostini on ChromeOS is making heavy use of this patchset and of LXD. So
> reverting this almost 1.5 years after the fact will regress all of
> Google's ChromeOS Crostini users, and all LXD/LXC users.
> LXD and Crostini by using LXD (through Concierge/Tremplin etc. [2]) are
> using this whole series e.g. when hotplugging usb devices into the
> container.
> When a usb hotplug happens, LXD will receive the relevant uevent and
> will forward it to the container. Any process listening on a uevent
> socket inside the container will now be able to see it.
> Now, to talk briefly about solutions:
> From what I gather from talking to the ChromeOS guys and from your
> ChromeOS bugtracker and recent patchsets to ARC you are moving your
> Android workloads into Crostini? So like Eric said this seems like a new
> feature you're implementing.

No, I am talking about ARC, not Crostini here.

> If you need to be able to listen to uevents inside of a user namespace
> and plan on using Crostini going forward then you can have Crostini
> forward battery uevents to the container. The logic for doing this can
> be found in the LXD codebase (cf. [3]). It's pretty simple. If you want
> to go this route I'm happy to guide you. :)
> Note, both options are a version of what Eric suggested in his last
> paragraph!
> What astonishes me is that healthd couldn't have possibly received
> battery uevents for a long time even if Android already was run in user
> namespaces prior to the new feature you're working on and the healthd I
> see in master is not even using uevents anymore (cf. [8]) but rather is
> using sysfs it seems. :)
> Before that healthd was using (cf. [7])
> uevent_kernel_multicast_recv()
> |
> -> uevent_kernel_multicast_uid_recv
> the latter containing the check
> if (cred->uid != 0) {
>     /* ignoring netlink message from non-root user */
>     goto out;
> }
> Before my patchset here the uevents sent out came with cred->uid == INVALID_UID
> and so healthd never received those events until very recently.

I see. OK, let me try digging into this to figure out what exactly changed.



  reply index

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-29 10:44 [PATCH net-next 0/2 v5] netns: uevent filtering Christian Brauner
2018-04-29 10:44 ` [PATCH net-next 1/2 v5] uevent: add alloc_uevent_skb() helper Christian Brauner
2018-04-29 10:44 ` [PATCH net-next 2/2 v5] netns: restrict uevents Christian Brauner
2019-06-14 22:49   ` Dmitry Torokhov
2019-06-16 11:50     ` ebiederm
2019-06-16 16:50       ` Christian Brauner
2019-06-16 17:14         ` Dmitry Torokhov [this message]
2019-06-16 16:50       ` Dmitry Torokhov
2018-04-30 15:55 ` [PATCH net-next 0/2 v5] netns: uevent filtering ebiederm
2018-05-01 14:23   ` David Miller

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on

Archives are clonable:
	git clone --mirror lkml/git/0.git
	git clone --mirror lkml/git/1.git
	git clone --mirror lkml/git/2.git
	git clone --mirror lkml/git/3.git
	git clone --mirror lkml/git/4.git
	git clone --mirror lkml/git/5.git
	git clone --mirror lkml/git/6.git
	git clone --mirror lkml/git/7.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ \
	public-inbox-index lkml

Newsgroup available over NNTP:

AGPL code for this site: git clone public-inbox