| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Dec 2012 22:57:16 +0200 From: "Michael S. Tsirkin" <mst@...hat.com> To: Paul Moore <pmoore@...hat.com> Cc: netdev@...r.kernel.org, linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov, jasowang@...hat.com Subject: Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices On Thu, Dec 06, 2012 at 11:56:45AM -0500, Paul Moore wrote: > The SETQUEUE/tun_socket:create_queue permissions do not yet exist in any > released SELinux policy as we are just now adding them with this patchset. > With current policies loaded into a kernel with this patchset applied the > SETQUEUE/tun_socket:create_queue permission would be treated according to the > policy's unknown permission setting. OK I think we need to rethink what we are doing here: what you sent addresses the problem as stated but I think we mis-stated it. Let me try to restate the problem: it is not just selinux problem. Let's assume qemu wants to use tun, I (libvirt) don't want to run it as root. 1. TUNSETIFF: I can open tun, attach an fd and pass it to qemu. Now, qemu does not invoke TUNSETIFF so it can run without kernel priveledges. 2. TUNSETQUEUE - I can open tun and attach a queue but this is not what is needed since this automatically switches to multiqueue mode - we want to change number of queues on the fly. So qemu needs to be allowed to run TUNSETQUEUE. Since this checks tun_not_capable(tun) we would need to give qemu these priveledges, and we want to avoid this (I can go into why if it's not obvious). How can we slove this? I don't see a way without extending the interface. Here's a simple way to extend it: pass a flag to TUNSETQUEUE that enables/disables TX on this queue. If TX is disabled, ignore this queue for flow steering decisions. Allow TUNSETQUEUE for a non priveledged user if it it already bound to the currect tun and only changes this flag. Now I open tun and SETQUEUE with TX disabled flag. Pass it to qemu. qemu calls SETQUEUE with TX enabled flag. Jason? Want to try implementing and see what people think? > -- > paul moore > security and virtualization @ redhat -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists