lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110412050659.GA14129@openwall.com>
Date:	Tue, 12 Apr 2011 09:06:59 +0400
From:	Solar Designer <solar@...nwall.com>
To:	Vasiliy Kulikov <segoon@...nwall.com>
Cc:	linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
	Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>,
	Kees Cook <kees.cook@...onical.com>,
	Dan Rosenberg <dan.j.rosenberg@...il.com>,
	Eugene Teo <eugene@...hat.com>,
	Nelson Elhage <nelhage@...lice.com>,
	"David S. Miller" <davem@...emloft.net>,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>,
	Pekka Savola <pekkas@...core.fi>,
	James Morris <jmorris@...ei.org>,
	Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
	Patrick McHardy <kaber@...sh.net>
Subject: Re: [PATCH] net: ipv4: add IPPROTO_ICMP socket kind

On Sat, Apr 09, 2011 at 02:15:14PM +0400, Vasiliy Kulikov wrote:
> This patch adds IPPROTO_ICMP socket kind.  It makes it possible to send
> ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages
> without any special privileges.  In other words, the patch makes it
> possible to implement setuid-less and CAP_NET_RAW-less /bin/ping.  In
> order not to increase the kernel's attack surface (in case of
> vulnerabilities in the newly added code), the new functionality is
> disabled by default, but is enabled at bootup by supporting Linux
> distributions, optionally with restriction to a group or a group range
...
> For Openwall GNU/*/Linux it is the last step on the road to the
> setuid-less distro.

More correctly, it _was_ the last step - we've already taken it, so a
revision of the patch (against OpenVZ/RHEL5 kernels) is currently in use.

We would really like this accepted into mainline, which is why Vasiliy
spends extra effort to keep the patch updated to current mainline
kernels and re-test it.  If there are any comments/concerns/objections,
we'd be happy to hear those.

> Signed-off-by: Vasiliy Kulikov <segoon@...nwall.com>

Acked-by: Solar Designer <solar@...nwall.com>

>  include/net/netns/ipv4.h   |    2 +
>  include/net/ping.h         |   69 ++++
>  net/ipv4/Kconfig           |   21 +
>  net/ipv4/Makefile          |    1 +
>  net/ipv4/af_inet.c         |   36 ++
>  net/ipv4/icmp.c            |   14 +-
>  net/ipv4/ping.c            |  933 ++++++++++++++++++++++++++++++++++++++++++++
>  net/ipv4/sysctl_net_ipv4.c |   90 +++++
>  8 files changed, 1165 insertions(+), 1 deletions(-)

Thanks,

Alexander
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ