On Sat, Dec 27, 2025 at 08:46:49PM -0700, Greg Dahlman wrote:
> **vsock exists in the global namespace** - Unlike "af_inet" sockets,
> vsock connections are not bound to a particular network namespace.
> By default they are visible to every namespace on the host.
Every address family in Linux needs to implement it's own namespace
handling. In 2007, all existing address families got a check to only
allow the inital network namespace. af_vsock is newer and never got
this check.
Every point after the first one is just a result, not a cause.
So a fix would be something like that (untested, no time right now):
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -2553,6 +2553,9 @@ static int vsock_create(struct net *net, struct socket
*sock,
if (protocol && protocol != PF_VSOCK)
return -EPROTONOSUPPORT;
+ if (!net_eq(net, &init_net))
+ return -EAFNOSUPPORT;
+
switch (sock->type) {
case SOCK_DGRAM:
sock->ops = &vsock_dgram_ops;
But I have a question: why do you name sshd, while every AF_VSOCK
listener is affected?
Bastian
--
Warp 7 -- It's a law we can live with.
