lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 03 Nov 2009 15:15:52 -0500
From:	Eric Paris <eparis@...hat.com>
To:	netdev@...r.kernel.org
Cc:	nhorman@...hat.com, acme@...hat.com, dwalsh@...hat.com
Subject: CLONE_NEWNET requires CAP_NET_RAW (and the intended CAP_SYS_ADMIN)

We just saw today, because vsftpd just started using by default, that
CLONE_NEWNET requires both the intended CAP_SYS_ADMIN (see
kernel/nsproxy.c::copy_namespace()) and the unintended CAP_NET_RAW.
This is because tcp_sk_init() calls inet_ctl_sock_create() with
SOCK_RAW.  Ultimately we end up in inet_create() which see that
answer->capability is equal to CAP_NET_RAW.  So now it checks
capable(CAP_NET_RAW).

What you will find is that the generic __sock_create() has an argument
"int kern" which is passed to the security server to bypass checks which
were caused by the kernel, not because of userspace.  That flag is not
passed down to the create() function in struct net_proto_family.  I
think the easiest solution is to add the kern argument to the
net_proto_family create function and pass it along to the security
system so it can make the right decision.

I also see that the whole capability checking in struct inet_protosw
(and can, dccp, and sctp) seem overly complicated.  Most of it (all but
inet) could just be deleted since they aren't doing anything.  Inet
could replace it with just a single if (SOCK_RAW) which make the
security server changes very simple....

Did I explain my problem (I don't want to check CAP_NET_RAW)?  Do people
see an issue with me passing kern down to create?  Anyone have problems
with me ripping out the half ass unused security infrastructure?

-Eric

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ