Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 496806 - net-misc/netifrc-0.1 / git-HEAD: _exists() depends on sysfs. lxc hates sysfs (due to security)
Summary: net-misc/netifrc-0.1 / git-HEAD: _exists() depends on sysfs. lxc ...
Alias: None
Product: Gentoo Hosted Projects
Classification: Unclassified
Component: OpenRC (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: netifrc Team
Whiteboard: netifrc:lxc netifrc:sysfs
Depends on:
Reported: 2014-01-02 21:41 UTC by Walter
Modified: 2024-03-03 22:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Walter 2014-01-02 21:41:20 UTC
The _exists function in checks sysfs to see whether or not an interface exists or not: [ -e /sys/class/net/"$IFACE" ]

This is still the case in the latest git HEAD:;a=blob;f=net/;h=b2203cbd1062c69803bce45cb0d82083bb60f32a;hb=HEAD

Unfortuantely, sysfs is the devil when it comes to LXC as best security practice is:
 (1) not to have it mounted, and
 (2) to deny the container the capacity to mount things itself

Therefore it would be pertinent for netifrc and OpenRC in general to find some way around depending upon sysfs for interface checks.

How about, leave the current code in place for normal cases, but first ... if [ ! -e /sys/class/net ]; ... implement these two as preferable methodologies to total failure:
 ifconfig <interface_name>
 ip link show <interface_name>

This should fix the current mode of failure (loud errors in openrc startup) and increase reliability to boot.
Comment 1 Walter 2014-01-02 21:49:59 UTC
OK so that worked .. a lot better .. but now it's hitting other sysfs available assumptions elsewhere. I really think these should be teased out of the code one by one.
Comment 2 Walter 2014-01-02 21:54:48 UTC
The assumption it hits is the very next function down, _ifindex, which apparently returns the highest numeric identifier currently assigned to an interface on the system.

This information does not appear to be available in ifconfig output, but is available with 'ip link show' output, ie:

 ip link show |grep '^[0-9]'|tail -n 1|cut -d ':' -f1
Comment 3 Mike Gilbert gentoo-dev 2014-01-02 21:59:49 UTC
Just a drive-by comment: This mailing list discussion indicates that user namespaces resolve the security problems with sysfs in a container. Those are in the mainline kernel since 3.8.
Comment 4 Walter 2014-01-02 22:11:29 UTC
Oh wow, that's interesting that there's an apparent fix upstream. I think quite some number of people including myself must have missed that.

Now... I guess if netifrc decides to keep sysfs deps due to the above, then I suppose sysfs is going to be a dep for gentoo running in containers.

What's the netifrc/openrc decision?

PS. Anyway, confirmed the change to use iproute2 for interface index capture at least visually resolves any errors in startup, so I would recommend bundling the two changes together.

Since the whole linux world is moving towards iproute2 anyway, it doesn't seem so bad to have this dependency. If the iproute2 dep is considered bad for some reason, then perhaps question why the interface index number is being used at all. I am guessing it's to track interfaces who are renamed between interface up and down? (Anyway, it doesn't feel super-shelly to use an integer to identify something... :)
Comment 5 Walter 2014-01-02 22:13:54 UTC
PS. Perhaps stating the obvious here, but it should probably be noted that we didn't see any errors with sysfs absent on earlier versions of OpenRC.
Comment 6 Walter 2014-01-02 23:40:30 UTC
Random further thought re: iproute2 ... might be worth testing with iproute2 proper but actually developing against the busybox implementation. I think Gentoo tends to rely on that for sandbox and some other stuff anyway, no?

On embedded platforms, where sysfs might be removed for space reasons (but which require IPv6 support and thus don't want to use ifconfig) this may be the optimal way forward, anyway.

I guess this whole thing boils down to:
 - what is netifrc/openrc presently depending on (clearly this now includes sysfs, but never used to)
 - is this declared explicitly someplace
 - is it perhaps worth considering changing the status quo to increase portability to more exotic environments? (no sysfs, non-linux kernels, embedded environments, etc.)
Comment 7 Mike Gilbert gentoo-dev 2014-01-03 05:39:04 UTC
(In reply to Walter from comment #2)
> The assumption it hits is the very next function down, _ifindex, which
> apparently returns the highest numeric identifier currently assigned to an
> interface on the system.

The only place the _ifindex function is used is to calculate an arbitrary routing metric. I'm not entirely sure how this is even useful; the TODO file even seems to indicate that it is flawed for whatever purpose it is supposed to serve.
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2016-10-24 22:46:49 UTC
no sysfs means:
- no bonding
- no bridge
- no ccwgroup (s390)
- no wireless (rf_kill)
- very difficult to seperate administrative state vs operational state vs lower-level state of interface

I think sysfs should stay as a preferred path, but i'll accept fallbacks to try alternative tools (just testing stuff in /sys is way faster than exec calls).

As for busybox iproute2, it should work.

The metric/_ifindex stuff does work for the majority of cases, it'll only problematic where your netifrc-managed interfaces are in rapid flux.