1. 23 Jun, 2010 7 commits
  2. 21 Jun, 2010 4 commits
  3. 19 Jun, 2010 17 commits
  4. 17 Jun, 2010 9 commits
  5. 16 Jun, 2010 3 commits
    • David S. Miller's avatar
      net: Export cred_to_ucred to modules. · 3924773a
      David S. Miller authored
      AF_UNIX references this, and can be built as a module,
      so...
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3924773a
    • Eric W. Biederman's avatar
      af_unix: Allow connecting to sockets in other network namespaces. · 6616f788
      Eric W. Biederman authored
      Remove the restriction that only allows connecting to a unix domain
      socket identified by unix path that is in the same network namespace.
      
      Crossing network namespaces is always tricky and we did not support
      this at first, because of a strict policy of don't mix the namespaces.
      Later after Pavel proposed this we did not support this because no one
      had performed the audit to make certain using unix domain sockets
      across namespaces is safe.
      
      What fundamentally makes connecting to af_unix sockets in other
      namespaces is safe is that you have to have the proper permissions on
      the unix domain socket inode that lives in the filesystem.  If you
      want strict isolation you just don't create inodes where unfriendlys
      can get at them, or with permissions that allow unfriendlys to open
      them.  All nicely handled for us by the mount namespace and other
      standard file system facilities.
      
      I looked through unix domain sockets and they are a very controlled
      environment so none of the work that goes on in dev_forward_skb to
      make crossing namespaces safe appears needed, we are not loosing
      controll of the skb and so do not need to set up the skb to look like
      it is comming in fresh from the outside world.  Further the fields in
      struct unix_skb_parms should not have any problems crossing network
      namespaces.
      
      Now that we handle SCM_CREDENTIALS in a way that gives useable values
      across namespaces.  There does not appear to be any operational
      problems with encouraging the use of unix domain sockets across
      containers either.
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Acked-by: default avatarDaniel Lezcano <daniel.lezcano@free.fr>
      Acked-by: default avatarPavel Emelyanov <xemul@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6616f788
    • Eric W. Biederman's avatar
      af_unix: Allow credentials to work across user and pid namespaces. · 7361c36c
      Eric W. Biederman authored
      In unix_skb_parms store pointers to struct pid and struct cred instead
      of raw uid, gid, and pid values, then translate the credentials on
      reception into values that are meaningful in the receiving processes
      namespaces.
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Acked-by: default avatarPavel Emelyanov <xemul@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7361c36c