Hi Miroslav, On Thu, Apr 18, 2019 at 10:05:09AM +0200, Miroslav Lichvar wrote: > > So I guess the macvlan should reject SIOCSHWTSTAMP but allow > > SIOCGHWTSTAMP. > > FWIW, my suggestion was to limit what the SIOCSHWTSTAMP ioctl can do > on the virtual interface. It could only enable HW timestamping or
I think this is not enough as user could enable HWTSTAMP_FILTER_NONE. > select a more general filter. A container could run a PTP clock if it Do you have an idea about how to select a general filter? If we have enabled HWTSTAMP_FILTER_PTP_V2_L4_SYNC on host and a user in container want to enable HWTSTAMP_FILTER_PTP_V2_L4_DELAY_REQ, then which one is more general? > had also access to the PHC device, or it could have the NET_ADMIN > capability for other reasons, but it couldn't disable HW timestamping > enabled by the host or other container. > > If I understand it correctly, even without this ioctl a container can > prevent the host or other containers from getting some of the HW > timestamps by requesting TX timestamps at a high rate. I suspect the Could traffic sharping/limitation fix it? > timestamping would need to be restricted to the real interface to > fully protect it from applications having access to the virtual > interfaces. Thanks Hangbin
