lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 30 Dec 2013 14:39:30 -0800
From:	JP Abgrall <jpa@...gle.com>
To:	valentina.giusti@...-carit.de
Cc:	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
	eric.dumazet@...il.com, tgraf@...hat.com,
	Pablo Neira Ayuso <pablo@...filter.org>, davem@...emloft.net,
	daniel.wagner@...-carit.de
Subject: Re: [PATCH 0/2] Add UID/GID info to NFQUEUE

On Wed, Dec 18, 2013 at 10:04 AM,  <valentina.giusti@...-carit.de> wrote:
> At the Linux Plumbers Conference 2013, there have been quite interesting
> discussions on the topic of network statistics, and it was proposed that it
> would make more sense to use NFQUEUE for this purpose, letting therefore
> userspace use the UID/GID information for application-based statistics purposes.
> This way the UID and GID information of the incoming TCP and UDP traffic is not
> "wasted" and can be used for more refined statistics.

Some things to keep in mind when doing these changes...
For mobile devices, having the UID/GID is not sufficient when services
are involved (download manager, http service, ...).
Currently, Android's xt_qtaguid netfilter module supports the notion
of "delegation" which is achieved by having the service "tag" a socket
(tracked internally based on the struct sock address), via the file
descriptor, with a UID of who should be blamed for the statistics.
It would be nice if NFQUEUE presented/tracked some data related to the
socket that could be used to that effect.
This tagging of the socket needs to have the following properties:
 - a socket can stay open and be re-tagged (happens when pools are
used or when a stream can be used for multiple reasons).
 - a socket can be tagged with a different UID only if the current
UID/GID/pcap allows for it.
 - an app can have multiple sockets, each one belonging to different
UIDs (so no UID to UID mapping).
There are a few more, but those can be managed outside of the NFQUEUE changes.

Concerning the comment about TCP_TIMEWAIT in some other thread: the sk
is not a "struct sock" but "struct inet_timewait_sock" which is
missing fields. So beware when manipulating it. xt_qtaguid had to
ignore those struct sock.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ