Comment 2 for bug 1654676

Hi,

thanks for taking a close look at this. Indeed, this is one of the two pieces of unprivileged container startup which run with raised privilege, which we would much rather have running without. There may be better ways to structure this, and perhaps we should brainstorm and discuss them during the upcoming lxc hackfest before FOSDEM.

Going over lxc-user-nic as it stands now, the specific concern you raise *appears* to be addressed by the use of 'may_access_netns(pid)', which ensures that the caller is privileged over the network namespace being manipulated. If you see specific problems there, please let us know, but this should address exactly what is mentioned in this bug subject.

The other thing you mention is bad nic names. This *shouldn't* be an issue since the caller is privileged over his own network namespace (the target), so may confuse his tools however he likes; however outside administrators may end up trying to look inside the container and get confused, so perhaps some sanity checks on special characters would be worthwhile. The main counterpoint to that is that the container admin could always just re-add the special characters later, so we're not really adding any security by preventing it at container startup.

I'm going to keep this bug open for now as we have this conversation. Thanks again.