Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp78953imm; Tue, 17 Jul 2018 21:18:28 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeigowkBYvmeN6V9SqB32LPTP6SYT2LM9ByojJBsYbUBlXyUKCjEbfA5Q9y+YifILNbcDVG X-Received: by 2002:a62:c288:: with SMTP id w8-v6mr3548285pfk.92.1531887508438; Tue, 17 Jul 2018 21:18:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531887508; cv=none; d=google.com; s=arc-20160816; b=TYp4M4qN/8mf9Wev9OxeYF/09qBgFvumoZ82vD6X53YWsVxk2aINeHsCCdo0ImcwWo ScEle/AEYdC9d8E1MOu0pKR8jG4W+sAXSMq4wLH9VmC0N8eN/jE7pxRQRbp8mHOBj6Yu IpLHgbZZiRmTfUVn7UMQXI+PPvS8KkthNeHWWX6vjezslQfx8p3ec1QtWa9/dsMV7qlj oUn7cdMRw0NKIySJYq5cSErK3fROJXET18aMh4HgvMEcIHKF3w5U2x3uKksDwRgsipx/ kzTVT/le7qe/f2B3DzOtKocjyVApoZ5J9RPVZTNh7gyaUyXOmu0Xf0eEMEN9ptCbn5/M e5lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date :arc-authentication-results; bh=4xlPyB3dxh7Qv961C9PMY4HtrgMMtp6KyFfU5+B2t6Q=; b=VtyjnVxI3yFHkVqmCPgPiNnBXKYnlZbO/PWi1CXbGJKQtPvcwKChxVQGcPAL1mbydi Gg40dCQtKqkAMf7CADEnzmACLbmelwf18skEAPrc6JVzH90sHEBxSPe8XagAW1e/TP70 YzND6cJbvcHtXr/EB+AvLmTeyJ8Wktl0P9hX0KlUUBmNrxnA5j3gV+KiJUWWgwQxYbKq UwEBa9wH4qScw6DhT8RFvcxON3HVKVg6a4uQhHrlldIpi1Qyxg5+tk8ZxKzkUMMl+MhA P/CY/xDO/LztU0jBvxxxPwpjiw6HCOTWuiLiYvuituqKtXsaYNKbIpM1L9SlcQP5fkEl i4gw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t6-v6si2593461pgk.215.2018.07.17.21.18.11; Tue, 17 Jul 2018 21:18:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726165AbeGREx2 (ORCPT + 99 others); Wed, 18 Jul 2018 00:53:28 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:56970 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725727AbeGREx1 (ORCPT ); Wed, 18 Jul 2018 00:53:27 -0400 Received: from localhost (unknown [172.58.43.84]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 3027A100851F1; Tue, 17 Jul 2018 21:17:35 -0700 (PDT) Date: Wed, 18 Jul 2018 13:17:34 +0900 (KST) Message-Id: <20180718.131734.1797450417729100374.davem@davemloft.net> To: tyhicks@canonical.com Cc: gregkh@linuxfoundation.org, tj@kernel.org, stephen@networkplumber.org, dmitry.torokhov@gmail.com, ebiederm@xmission.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, bridge@lists.linux-foundation.org, containers@lists.linux-foundation.org Subject: Re: [PATCH v2 net-next 0/7] Make /sys/class/net per net namespace objects belong to container From: David Miller In-Reply-To: <1531497949-1766-1-git-send-email-tyhicks@canonical.com> References: <1531497949-1766-1-git-send-email-tyhicks@canonical.com> X-Mailer: Mew version 6.7 on Emacs 26 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Tue, 17 Jul 2018 21:17:35 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tyler Hicks Date: Fri, 13 Jul 2018 16:05:42 +0000 > I'm reviving this patch set because we would like this feature for > system containers. One specific use case that we have is that libvirt is > unable to configure its bridge device inside of a system container due > to the bridge files in /sys/class/net/ being owned by init root instead > of container root. The last two patches in this set are patches that > I've added to Dmitry's original set to allow such configuration of the > bridge device. > > Eric had previously provided feedback that he didn't favor these changes > affecting all layers of the stack and that most of the changes could > remain local to drivers/base/core.c. That feedback is certainly sensible > but I wanted to send out v2 of the patch set without making that large > of a change since quite a bit of time has passed and the bridge changes > in the last patch of this set shows that not all of the changes will be > local to drivers/base/core.c. I'm happy to make the changes if the > original request still stands. > > I've verified that all of the bridge related files affected by patch 7 > have proper access control checks for CAP_NET_ADMIN inside of the > user namespace. I have *not* yet verified that all of the network > device related sysfs files affected by patch 5 have proper access > control checks. I was working under the assumption that those code paths > already were verified when the first iteration of the patches were sent > out. Ok, I can't let this series rot forever, so I'll apply it to net-next. Thank you.