lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 1 Apr 2018 10:11:29 -0600 From: David Ahern <dsahern@...il.com> To: Si-Wei Liu <si-wei.liu@...cle.com>, mst@...hat.com, jiri@...nulli.us, stephen@...workplumber.org, alexander.h.duyck@...el.com, davem@...emloft.net, jesse.brandeburg@...el.com, kubakici@...pl, jasowang@...hat.com, sridhar.samudrala@...el.com, netdev@...r.kernel.org, virtualization@...ts.linux-foundation.org, virtio-dev@...ts.oasis-open.org Subject: Re: [RFC PATCH 2/3] netdev: kernel-only IFF_HIDDEN netdevice On 4/1/18 3:13 AM, Si-Wei Liu wrote: > Hidden netdevice is not visible to userspace such that > typical network utilites e.g. ip, ifconfig and et al, > cannot sense its existence or configure it. Internally > hidden netdev may associate with an upper level netdev > that userspace has access to. Although userspace cannot > manipulate the lower netdev directly, user may control > or configure the underlying hidden device through the > upper-level netdev. For identification purpose, the > kobject for hidden netdev still presents in the sysfs > hierarchy, however, no uevent message will be generated > when the sysfs entry is created, modified or destroyed. > > For that end, a separate namescope needs to be carved > out for IFF_HIDDEN netdevs. As of now netdev name that > starts with colon i.e. ':' is invalid in userspace, > since socket ioctls such as SIOCGIFCONF use ':' as the > separator for ifname. The absence of namescope started > with ':' can rightly be used as the namescope for > the kernel-only IFF_HIDDEN netdevs. > > Signed-off-by: Si-Wei Liu <si-wei.liu@...cle.com> > --- > include/linux/netdevice.h | 12 ++ > include/net/net_namespace.h | 2 + > net/core/dev.c | 281 ++++++++++++++++++++++++++++++++++++++------ > net/core/net_namespace.c | 1 + > 4 files changed, 263 insertions(+), 33 deletions(-) > There are other use cases that want to hide a device from userspace. I would prefer a better solution than playing games with name prefixes and one that includes an API for users to list all devices -- even ones hidden by default. https://github.com/dsahern/linux/commit/48a80a00eac284e58bae04af10a5a932dd7aee00 https://github.com/dsahern/iproute2/commit/7563f5b26f5539960e99066e34a995d22ea908ed Also, why are you suggesting that the device should still be visible via /sysfs? That leads to inconsistent views of networking state - /sys shows a device but a link dump does not.
Powered by blists - more mailing lists