| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <46F0DF32.9020707@trash.net>
Date: Wed, 19 Sep 2007 10:34:58 +0200
From: Patrick McHardy <kaber@...sh.net>
To: Urs Thuermann <urs@...ogud.escape.de>
CC: netdev@...r.kernel.org, David Miller <davem@...emloft.net>,
Thomas Gleixner <tglx@...utronix.de>,
Oliver Hartkopp <oliver@...tkopp.net>,
Oliver Hartkopp <oliver.hartkopp@...kswagen.de>
Subject: Re: [PATCH 3/7] CAN: Add raw protocol
Urs Thuermann wrote:
> Patrick McHardy <kaber@...sh.net> writes:
>
>
>>>+config CAN_RAW_USER
>>>+ bool "Allow non-root users to access Raw CAN Protocol sockets"
>>>+ depends on CAN_RAW
>>
>>Would it be much more trouble for userspace to use capabilities for
>>this? This would allow userspace to always know what to expect, I
>>don't think distributions will enable this option (which might again
>>not matter since they're probably rarely used in cars :)).
>
>
> First, it's not only used in cars but also in other embedded and
> automation contexts :-)
>
> In fact, we already check capabilities in af_can.c:can_create() like
> this
>
> if (cp->capability >= 0 && !capable(cp->capability))
> return -EPERM;
>
> Each protocol implementation can set cp->capability to -1 so that all
> users can open sockets without any restriction or to some capability,
> typically CAP_NET_RAW. In raw.c it is done so
>
> #ifdef CONFIG_CAN_RAW_USER
> #define RAW_CAP (-1)
> #else
> #define RAW_CAP CAP_NET_RAW
> #endif
>
> I also didn't love this configure option very much when we added it.
> But in embedded systems it is often not much of a problem to let
> anybody access raw sockets, since there are no "normal" users. This
> is the reason for the configure option. I haven't yet looked into
> capabilities and their inheritance between process in detail. Would
> it be easy to let all user space run with CAP_NET_RAW? What if some
> process calls setuid() or execve()s a set-uid program? Will
> capabilities be retained?
If its in the inheritable set, I believe it is retained. I mainly
don't like it because I believe permission checks shouldn't depend
on config option, this makes it harder for userspace to know what
to expect. But keep it if you must.
>>>+static int raw_notifier(struct notifier_block *nb,
>>>+ unsigned long msg, void *data)
>>>+{
>>>+ struct net_device *dev = (struct net_device *)data;
>>>+ struct raw_sock *ro = container_of(nb, struct raw_sock, notifier);
>>>+ struct sock *sk = &ro->sk;
>>>+
>>>+ DBG("msg %ld for dev %p (%s idx %d) sk %p ro->ifindex %d\n",
>>>+ msg, dev, dev->name, dev->ifindex, sk, ro->ifindex);
>>>+
>>>+ if (dev->nd_net != &init_net)
>>>+ return NOTIFY_DONE;
>>>+
>>>+ if (dev->type != ARPHRD_CAN)
>>>+ return NOTIFY_DONE;
>>>+
>>>+ if (ro->ifindex != dev->ifindex)
>>>+ return NOTIFY_DONE;
>>
>>
>>Wouldn't that be a BUG()?
>
>
> Would it? I think there is only one netdev_chain, not one per
> device. I.e. our raw_notifier() gets all events on any netdevice, not
> only the ones we're interested in, for example also eth0. And I think
> we should silently ignore these events by returning NOTIFY_DONE. Am I
> missing something here?
No, I misunderstood the code.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists