lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 19 Sep 2007 10:34:58 +0200
From:	Patrick McHardy <kaber@...sh.net>
To:	Urs Thuermann <urs@...ogud.escape.de>
CC:	netdev@...r.kernel.org, David Miller <davem@...emloft.net>,
	Thomas Gleixner <tglx@...utronix.de>,
	Oliver Hartkopp <oliver@...tkopp.net>,
	Oliver Hartkopp <oliver.hartkopp@...kswagen.de>
Subject: Re: [PATCH 3/7] CAN: Add raw protocol

Urs Thuermann wrote:
> Patrick McHardy <kaber@...sh.net> writes:
> 
> 
>>>+config CAN_RAW_USER
>>>+	bool "Allow non-root users to access Raw CAN Protocol sockets"
>>>+	depends on CAN_RAW
>>
>>Would it be much more trouble for userspace to use capabilities for
>>this? This would allow userspace to always know what to expect, I
>>don't think distributions will enable this option (which might again
>>not matter since they're probably rarely used in cars :)).
> 
> 
> First, it's not only used in cars but also in other embedded and
> automation contexts :-)
> 
> In fact, we already check capabilities in af_can.c:can_create() like
> this
> 
>         if (cp->capability >= 0 && !capable(cp->capability))
>                 return -EPERM;
> 
> Each protocol implementation can set cp->capability to -1 so that all
> users can open sockets without any restriction or to some capability,
> typically CAP_NET_RAW.  In raw.c it is done so
> 
> 	#ifdef CONFIG_CAN_RAW_USER
> 	#define RAW_CAP (-1)
> 	#else
> 	#define RAW_CAP CAP_NET_RAW
> 	#endif
> 
> I also didn't love this configure option very much when we added it.
> But in embedded systems it is often not much of a problem to let
> anybody access raw sockets, since there are no "normal" users.  This
> is the reason for the configure option.  I haven't yet looked into
> capabilities and their inheritance between process in detail.	Would
> it be easy to let all user space run with CAP_NET_RAW?  What if some
> process calls setuid() or execve()s a set-uid program?  Will
> capabilities be retained?


If its in the inheritable set, I believe it is retained. I mainly
don't like it because I believe permission checks shouldn't depend
on config option, this makes it harder for userspace to know what
to expect. But keep it if you must.

>>>+static int raw_notifier(struct notifier_block *nb,
>>>+			unsigned long msg, void *data)
>>>+{
>>>+	struct net_device *dev = (struct net_device *)data;
>>>+	struct raw_sock *ro = container_of(nb, struct raw_sock, notifier);
>>>+	struct sock *sk = &ro->sk;
>>>+
>>>+	DBG("msg %ld for dev %p (%s idx %d) sk %p ro->ifindex %d\n",
>>>+	    msg, dev, dev->name, dev->ifindex, sk, ro->ifindex);
>>>+
>>>+	if (dev->nd_net != &init_net)
>>>+		return NOTIFY_DONE;
>>>+
>>>+	if (dev->type != ARPHRD_CAN)
>>>+		return NOTIFY_DONE;
>>>+
>>>+	if (ro->ifindex != dev->ifindex)
>>>+		return NOTIFY_DONE;
>>
>>
>>Wouldn't that be a BUG()?
> 
> 
> Would it?  I think there is only one netdev_chain, not one per
> device.  I.e. our raw_notifier() gets all events on any netdevice, not
> only the ones we're interested in, for example also eth0.  And I think
> we should silently ignore these events by returning NOTIFY_DONE.  Am I
> missing something here?


No, I misunderstood the code.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ