lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20241104081928.7e383c93@kernel.org>
Date: Mon, 4 Nov 2024 08:19:28 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Li Li <dualli@...omium.org>
Cc: dualli@...gle.com, corbet@....net, davem@...emloft.net,
 edumazet@...gle.com, pabeni@...hat.com, donald.hunter@...il.com,
 gregkh@...uxfoundation.org, arve@...roid.com, tkjos@...roid.com,
 maco@...roid.com, joel@...lfernandes.org, brauner@...nel.org,
 cmllamas@...gle.com, surenb@...gle.com, arnd@...db.de,
 masahiroy@...nel.org, bagasdotme@...il.com, horms@...nel.org,
 linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
 netdev@...r.kernel.org, hridya@...gle.com, smoreland@...gle.com,
 kernel-team@...roid.com
Subject: Re: [PATCH net-next v7 2/2] binder: report txn errors via generic
 netlink

On Sun, 3 Nov 2024 22:25:44 -0800 Li Li wrote:
> > You're trying to register multiple families with different names?
> > The family defines the language / protocol. If you have multiple
> > entities to multiplex you should do that based on attributes inside
> > the messages.
> 
> My initial plan was to use a single "binder" family, which was more
> straightforward and cleaner. As Android uses multiple binder contexts
> to isolate system framework and vendor domains[1], Grek KH suggested
> the netlink messages from different binder contexts should also be
> isolated for security reason[2]. Personally I'm fine with either
> approach. Please kindly advice which implementation is better.
> 
> And I'll fix other issues you mentioned above.

Greg is obviously right, but using different family names will not help
you in any way. There is no action of "opening" a socket for a generic
netlink family, one generic netlink socket can talk to all families.
The only built in checking netlink provides is that you can declare 
an operation as requiring admin privileges, or network capability
(namespaced or global).

Unless those are good enough for you - I think you should do all 
the security isolation within your code, manually.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ