lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 23 Aug 2010 16:42:15 +0300
From:	Luciano Coelho <luciano.coelho@...ia.com>
To:	ext Changli Gao <xiaosuo@...il.com>
Cc:	"kaber@...sh.net" <kaber@...sh.net>,
	"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	James Morris <jmorris@...ei.org>,
	"linux-security-module@...r.kernel.org" 
	<linux-security-module@...r.kernel.org>
Subject: Re: [PATCH] netfilter: xt_condition: add security capability
 support

On Mon, 2010-08-23 at 15:37 +0200, ext Changli Gao wrote:
> On Mon, Aug 23, 2010 at 8:50 PM,  <luciano.coelho@...ia.com> wrote:
> > From: Luciano Coelho <luciano.coelho@...ia.com>
> >
> > Add a module parameter that allows the required security capability to
> > change the conditions from userspace to be specified.  By default the
> > module will require the CAP_NET_ADMIN capability.
> >
> > Signed-off-by: Luciano Coelho <luciano.coelho@...ia.com>
> > ---
> >  net/netfilter/xt_condition.c |   10 ++++++++++
> >  1 files changed, 10 insertions(+), 0 deletions(-)
> >
> > diff --git a/net/netfilter/xt_condition.c b/net/netfilter/xt_condition.c
> > index 06205aa..fd279e5 100644
> > --- a/net/netfilter/xt_condition.c
> > +++ b/net/netfilter/xt_condition.c
> > @@ -29,11 +29,13 @@
> >  #include <linux/netfilter/xt_condition.h>
> >  #include <net/netns/generic.h>
> >  #include <asm/uaccess.h>
> > +#include <linux/capability.h>
> >
> >  /* Defaults, these can be overridden on the module command-line. */
> >  static unsigned int condition_list_perms = S_IRUGO | S_IWUSR;
> >  static unsigned int condition_uid_perms = 0;
> >  static unsigned int condition_gid_perms = 0;
> > +static unsigned int condition_capabilities = CAP_NET_ADMIN;
> >
> >  MODULE_AUTHOR("Stephane Ouellette <ouellettes@...eotron.ca>");
> >  MODULE_AUTHOR("Massimiliano Hofer <max@...leus.it>");
> > @@ -47,6 +49,8 @@ module_param(condition_uid_perms, uint, S_IRUSR | S_IWUSR);
> >  MODULE_PARM_DESC(condition_uid_perms, "default user owner of /proc/net/nf_condition/* files");
> >  module_param(condition_gid_perms, uint, S_IRUSR | S_IWUSR);
> >  MODULE_PARM_DESC(condition_gid_perms, "default group owner of /proc/net/nf_condition/* files");
> > +module_param(condition_capabilities, uint, CAP_NET_ADMIN);
> > +MODULE_PARM_DESC(condition_capabilities, "default capabilities required to change /proc/net/nf_condition/* files");
> 
> It is strange that we set security policy in this way. Maybe the
> permission of the proc file is enough in this case.

Yes, that is another way to do it.  But in our device we use security
capabilities more extensively than normal file permissions.  That's why
we need this.

If this is too restrictive (ie. having CAP_NET_ADMIN) for most users, we
could change the default value to no capabilities needed.  Then we can
set CAP_NET_ADMIN when loading the module.


-- 
Cheers,
Luca.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ