On Tue, Jul 09, 2019 at 01:11:24PM +0200, Ondrej Mosnacek wrote: > Currently, NETLINK_CRYPTO works only in the init network namespace. It > doesn't make much sense to cut it out of the other network namespaces, > so do the minor plumbing work necessary to make it work in any network > namespace. Code inspired by net/core/sock_diag.c. > > Tested using kcapi-dgst from libkcapi [1]: > Before: > # unshare -n kcapi-dgst -c sha256 </dev/null | wc -c > libkcapi - Error: Netlink error: sendmsg failed > libkcapi - Error: Netlink error: sendmsg failed > libkcapi - Error: NETLINK_CRYPTO: cannot obtain cipher information for > hmac(sha512) (is required crypto_user.c patch missing? see documentation) > 0 > > After: > # unshare -n kcapi-dgst -c sha256 </dev/null | wc -c > 32 > > [1] https://github.com/smuellerDD/libkcapi > > Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com>
Should we really let root inside a namespace manipulate crypto algorithms which are global? I think we should only allow the query operations without deeper surgery. Cheers, -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
