tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'vsock-fix-child-netns-mode-initialization-and-restriction'

Stefano Garzarella says:

====================
vsock: fix child netns mode initialization and restriction

This series fixes two issues in the vsock network namespace support
recently introduced by commit eafb64f40ca4 ("vsock: add netns to vsock
core").

Patch 1 fixes `child_ns_mode` being always hardcoded to "global" for new
namespaces, breaking propagation of the "local" mode through nested
namespaces.

Patch 2 prevents a "local" namespace from switching `child_ns_mode` to
"global", which would allow nested namespaces to escape vsock isolation
and access global CIDs.
====================

Link: https://patch.msgid.link/20260212205916.97533-1-sgarzare@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 36e83863 a49d2a2c

+15 -5
+15 -5
net/vmw_vsock/af_vsock.c
··· 91 91 * - /proc/sys/net/vsock/ns_mode (read-only) reports the current namespace's 92 92 * mode, which is set at namespace creation and immutable thereafter. 93 93 * - /proc/sys/net/vsock/child_ns_mode (writable) controls what mode future 94 - * child namespaces will inherit when created. The default is "global". 94 + * child namespaces will inherit when created. The initial value matches 95 + * the namespace's own ns_mode. 95 96 * 96 97 * Changing child_ns_mode only affects newly created namespaces, not the 97 - * current namespace or existing children. At namespace creation, ns_mode 98 - * is inherited from the parent's child_ns_mode. 98 + * current namespace or existing children. A "local" namespace cannot set 99 + * child_ns_mode to "global". At namespace creation, ns_mode is inherited 100 + * from the parent's child_ns_mode. 99 101 * 100 102 * The init_net mode is "global" and cannot be modified. 101 103 * ··· 2845 2843 if (ret) 2846 2844 return ret; 2847 2845 2848 - if (write) 2846 + if (write) { 2847 + /* Prevent a "local" namespace from escalating to "global", 2848 + * which would give nested namespaces access to global CIDs. 2849 + */ 2850 + if (vsock_net_mode(net) == VSOCK_NET_MODE_LOCAL && 2851 + new_mode == VSOCK_NET_MODE_GLOBAL) 2852 + return -EPERM; 2853 + 2849 2854 vsock_net_set_child_mode(net, new_mode); 2855 + } 2850 2856 2851 2857 return 0; 2852 2858 } ··· 2922 2912 else 2923 2913 net->vsock.mode = vsock_net_child_mode(current->nsproxy->net_ns); 2924 2914 2925 - net->vsock.child_ns_mode = VSOCK_NET_MODE_GLOBAL; 2915 + net->vsock.child_ns_mode = net->vsock.mode; 2926 2916 } 2927 2917 2928 2918 static __net_init int vsock_sysctl_init_net(struct net *net)