Re: [PATCH net-next 2/2 v5] netns: restrict uevents

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
	"David S. Miller" <davem@davemloft.net>,
	netdev <netdev@vger.kernel.org>,
	lkml <linux-kernel@vger.kernel.org>,
	avagin@virtuozzo.com, ktkhai@virtuozzo.com,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH net-next 2/2 v5] netns: restrict uevents
Date: Fri, 14 Jun 2019 15:49:30 -0700	[thread overview]
Message-ID: <CAKdAkRTtffEQfZLnSW9CwzX_oYzHdOE816OvciGadqV7RHaV1Q@mail.gmail.com> (raw)
In-Reply-To: <20180429104412.22445-3-christian.brauner@ubuntu.com>

Hi Christian,

On Sun, Apr 29, 2018 at 3:45 AM Christian Brauner
<christian.brauner@ubuntu.com> wrote:
>
> commit 07e98962fa77 ("kobject: Send hotplug events in all network namespaces")
>abhishekbh@google.com
> enabled sending hotplug events into all network namespaces back in 2010.
> Over time the set of uevents that get sent into all network namespaces has
> shrunk. We have now reached the point where hotplug events for all devices
> that carry a namespace tag are filtered according to that namespace.
> Specifically, they are filtered whenever the namespace tag of the kobject
> does not match the namespace tag of the netlink socket.
> Currently, only network devices carry namespace tags (i.e. network
> namespace tags). Hence, uevents for network devices only show up in the
> network namespace such devices are created in or moved to.
>
> However, any uevent for a kobject that does not have a namespace tag
> associated with it will not be filtered and we will broadcast it into all
> network namespaces. This behavior stopped making sense when user namespaces
> were introduced.
>
> This patch simplifies and fixes couple of things:
> - Split codepath for sending uevents by kobject namespace tags:
>   1. Untagged kobjects - uevent_net_broadcast_untagged():
>      Untagged kobjects will be broadcast into all uevent sockets recorded
>      in uevent_sock_list, i.e. into all network namespacs owned by the
>      intial user namespace.
>   2. Tagged kobjects - uevent_net_broadcast_tagged():
>      Tagged kobjects will only be broadcast into the network namespace they
>      were tagged with.
>   Handling of tagged kobjects in 2. does not cause any semantic changes.
>   This is just splitting out the filtering logic that was handled by
>   kobj_bcast_filter() before.
>   Handling of untagged kobjects in 1. will cause a semantic change. The
>   reasons why this is needed and ok have been discussed in [1]. Here is a
>   short summary:
>   - Userspace ignores uevents from network namespaces that are not owned by
>     the intial user namespace:
>     Uevents are filtered by userspace in a user namespace because the
>     received uid != 0. Instead the uid associated with the event will be
>     65534 == "nobody" because the global root uid is not mapped.
>     This means we can safely and without introducing regressions modify the
>     kernel to not send uevents into all network namespaces whose owning
>     user namespace is not the initial user namespace because we know that
>     userspace will ignore the message because of the uid anyway.
>     I have a) verified that is is true for every udev implementation out
>     there b) that this behavior has been present in all udev
>     implementations from the very beginning.

Unfortunately udev is not the only consumer of uevents, for example on
Android there is healthd that also consumes uevents, and this
particular change broke Android running in a container on Chrome OS.
Can this be reverted? Or, if we want to keep this, how can containers
that use separate user namespace still listen to uevents?

Thanks.

-- 
Dmitry