lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANBPYPjo0KKm3JbPk=E8Nuv05i=EeR93PHWjSU8fcH-GVWV94w@mail.gmail.com>
Date: Mon, 4 Nov 2024 09:12:37 -0800
From: Li Li <dualli@...omium.org>
To: Jakub Kicinski <kuba@...nel.org>
Cc: dualli@...gle.com, corbet@....net, davem@...emloft.net, 
	edumazet@...gle.com, pabeni@...hat.com, donald.hunter@...il.com, 
	gregkh@...uxfoundation.org, arve@...roid.com, tkjos@...roid.com, 
	maco@...roid.com, joel@...lfernandes.org, brauner@...nel.org, 
	cmllamas@...gle.com, surenb@...gle.com, arnd@...db.de, masahiroy@...nel.org, 
	bagasdotme@...il.com, horms@...nel.org, linux-kernel@...r.kernel.org, 
	linux-doc@...r.kernel.org, netdev@...r.kernel.org, hridya@...gle.com, 
	smoreland@...gle.com, kernel-team@...roid.com
Subject: Re: [PATCH net-next v7 2/2] binder: report txn errors via generic netlink

On Mon, Nov 4, 2024 at 8:19 AM Jakub Kicinski <kuba@...nel.org> wrote:
>
> On Sun, 3 Nov 2024 22:25:44 -0800 Li Li wrote:
> > > You're trying to register multiple families with different names?
> > > The family defines the language / protocol. If you have multiple
> > > entities to multiplex you should do that based on attributes inside
> > > the messages.
> >
> > My initial plan was to use a single "binder" family, which was more
> > straightforward and cleaner. As Android uses multiple binder contexts
> > to isolate system framework and vendor domains[1], Grek KH suggested
> > the netlink messages from different binder contexts should also be
> > isolated for security reason[2]. Personally I'm fine with either
> > approach. Please kindly advice which implementation is better.
> >
> > And I'll fix other issues you mentioned above.
>
> Greg is obviously right, but using different family names will not help
> you in any way. There is no action of "opening" a socket for a generic
> netlink family, one generic netlink socket can talk to all families.
> The only built in checking netlink provides is that you can declare
> an operation as requiring admin privileges, or network capability
> (namespaced or global).
>
> Unless those are good enough for you - I think you should do all
> the security isolation within your code, manually.

That's why binder genl uses unicast instead of multicast. The administration
process of the OS (Android in this case) always runs before any other user
applications, which registers itself to the kernel binder driver and uses it
exclusively. With a unified family name, the same userspace admin process
has access to all binder contexts. With separate family names, each domain
admin process can register itself to the corresponding binder context.

So, do you think the current implementation of registering multiple families
with different names acceptable? Or is there a better way to do it? Thank
you very much!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ