lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 1 Apr 2018 10:11:29 -0600
From:   David Ahern <dsahern@...il.com>
To:     Si-Wei Liu <si-wei.liu@...cle.com>, mst@...hat.com,
        jiri@...nulli.us, stephen@...workplumber.org,
        alexander.h.duyck@...el.com, davem@...emloft.net,
        jesse.brandeburg@...el.com, kubakici@...pl, jasowang@...hat.com,
        sridhar.samudrala@...el.com, netdev@...r.kernel.org,
        virtualization@...ts.linux-foundation.org,
        virtio-dev@...ts.oasis-open.org
Subject: Re: [RFC PATCH 2/3] netdev: kernel-only IFF_HIDDEN netdevice

On 4/1/18 3:13 AM, Si-Wei Liu wrote:
> Hidden netdevice is not visible to userspace such that
> typical network utilites e.g. ip, ifconfig and et al,
> cannot sense its existence or configure it. Internally
> hidden netdev may associate with an upper level netdev
> that userspace has access to. Although userspace cannot
> manipulate the lower netdev directly, user may control
> or configure the underlying hidden device through the
> upper-level netdev. For identification purpose, the
> kobject for hidden netdev still presents in the sysfs
> hierarchy, however, no uevent message will be generated
> when the sysfs entry is created, modified or destroyed.
> 
> For that end, a separate namescope needs to be carved
> out for IFF_HIDDEN netdevs. As of now netdev name that
> starts with colon i.e. ':' is invalid in userspace,
> since socket ioctls such as SIOCGIFCONF use ':' as the
> separator for ifname. The absence of namescope started
> with ':' can rightly be used as the namescope for
> the kernel-only IFF_HIDDEN netdevs.
> 
> Signed-off-by: Si-Wei Liu <si-wei.liu@...cle.com>
> ---
>  include/linux/netdevice.h   |  12 ++
>  include/net/net_namespace.h |   2 +
>  net/core/dev.c              | 281 ++++++++++++++++++++++++++++++++++++++------
>  net/core/net_namespace.c    |   1 +
>  4 files changed, 263 insertions(+), 33 deletions(-)
> 

There are other use cases that want to hide a device from userspace. I
would prefer a better solution than playing games with name prefixes and
one that includes an API for users to list all devices -- even ones
hidden by default.

https://github.com/dsahern/linux/commit/48a80a00eac284e58bae04af10a5a932dd7aee00

https://github.com/dsahern/iproute2/commit/7563f5b26f5539960e99066e34a995d22ea908ed

Also, why are you suggesting that the device should still be visible via
/sysfs? That leads to inconsistent views of networking state - /sys
shows a device but a link dump does not.

Powered by blists - more mailing lists