| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Mar 2015 23:11:28 +0200 From: Eyal Birger <eyal.birger@...il.com> To: David Miller <davem@...emloft.net> Cc: Florian Westphal <fw@...len.de>, Willem de Bruijn <willemb@...gle.com>, Eric Dumazet <edumazet@...gle.com>, Shmulik Ladkani <shmulik.ladkani@...il.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: [PATCH net-next v4 0/2] net: Introducing socket mark receive socket option On Mon, Mar 2, 2015 at 10:57 PM, David Miller <davem@...emloft.net> wrote: > From: Eyal Birger <eyal.birger@...il.com> > Date: Mon, 2 Mar 2015 22:38:50 +0200 > >> I can sum up the motivation for this feature as follows: >> >> - skb->mark is set by user-space policy. It would make sense for >> user-space to be >> able to query the resolution of that policy on a per packet basis - >> even if solely for the >> purpose of debugging (e.g. fetching this meta-data on packet sockets >> on the xmit path >> in order to debug tc behavior) > > It is also set by routing, netfilter, classifier rules installed by the > administrator. > > Therefore it is not universally true that it is safe to allow applications > to access this value. > > I'm not applying this series, it's use case is at best dubious to me and > there are security/protection concerns as well. I understand. Thanks. Would it be considered if access to the mark value was under CAP_NET_ADMIN similar to setting SO_MARK? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists