Re: Systemd vsock sshd

[Bastian Blank <bblank () thinkmo de>]

On Sat, Dec 27, 2025 at 08:46:49PM -0700, Greg Dahlman wrote:
>   **vsock exists in the global namespace** - Unlike "af_inet" sockets,
>   vsock connections are not bound to a particular network namespace.
>   By default they are visible to every namespace on the host.

Every address family in Linux needs to implement it's own namespace
handling.  In 2007, all existing address families got a check to only
allow the inital network namespace.  af_vsock is newer and never got
this check.

Every point after the first one is just a result, not a cause.

So a fix would be something like that (untested, no time right now):

--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -2553,6 +2553,9 @@ static int vsock_create(struct net *net, struct socket *sock,
         if (protocol && protocol != PF_VSOCK)
                 return -EPROTONOSUPPORT;
 
+        if (!net_eq(net, &init_net))
+                return -EAFNOSUPPORT;
+
         switch (sock->type) {
         case SOCK_DGRAM:
                 sock->ops = &vsock_dgram_ops;

But I have a question:  why do you name sshd, while every AF_VSOCK
listener is affected?

Bastian

-- 
Warp 7 -- It's a law we can live with.